WordPress Vulnerability: DoS flaw could bring down your site
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

WordPress Vulnerability: DoS flaw could bring down your site

WordPress isn’t going to patch it, either…

WordPress is the most popular Content Management System (CMS) in the entire world. In fact, WordPress powers 29% of the web. That’s why it’s alarming the company isn’t going to patch a DoS vulnerability that, when exploited, could easily bring down an entire website.

Let’s start back at the beginning.

Israeli research Barak Tawily discovered a vulnerability (CVE-2018-6389) in the way that “load-scripts.php” processes user-defined requests. “load-scripts.php” is a built-in script that was designed for users with admin permissions to help improve website performance and page load speeds by combining JavaScript files into a single request.

To do this, “load-scripts.php” calls the required JavaScript files by passing their names into its load parameter. Once it’s called every JavaScript file in a given URL it sends them back in a single file.

That’s a lot to untangle, maybe this comparison will help. This script acts kind of like a project manager would: they manage a bunch of different inputs from different team members, then organize it into one coherent document before presenting it to management.

What is the WordPress Vulnerability?

Unfortunately, WordPress, in attempting to make “load-scripts.php” work on the admin login page, forgot to put authentication in place. That means that it’s accessible to anyone.

Here’s where the exploit comes in. Because the “load-scripts.php” file is accessible to anyone an attacker can bring down an entire website simply by forcing “load-scripts.php” to call all possible JavaScript files in one go by passing their names into the Load Parameter. That, in turn, makes the targeted website slow to a crawl due to high usage of the CPU and server memory.

One attacker would likely not be able to take a site down on their own. But Tawily provides a Proof of Concept that showed what a distributed attack could accomplish. Hacker News independently confirmed the exploit. They used it to bring down a test site on a medium-sized server. It was unable to knock another site with a dedicated server offline.

That doesn’t mean the attack wouldn’t still be effective against a site with higher server power. It could still put considerable strain on the server’s resources.

WordPress to the Rescue… or not

Here’s where the story gets aggravating though, Tawily submitted the bug to WordPress, who promptly did nothing. WordPress has no plans to patch it. Their argument is that it should be handled at the server or network level.

Fortunately, Tawily produced a patch for WordPress users.

If you’re a WordPress user, this applies to you. It applies to every WordPress version for the past nine years—including the most recent one (4.9.2).

So maybe get on that.

Happy Monday.


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.