google-site-verification: google30a059f9a075f398.html

Unpatched DoS Flaw Could Help Anyone Take Down WordPress Websites

CyberWisdom Safe Harbor Commentary on DoS Flaw:

A recent story from thehackernews.com features how a simple but serious application-level denial of service – DoS Flaw -vulnerability was discovered on the WordPress CMS platform that allows anyone to shut down most WordPress sites, even with one machine, as the network requires DDoS attacks that consume a large amount of bandwidth are implemented in the same way.
As the company declined to patch this issue, the vulnerability (CVE-2018-6389) has still not been patched and affects almost all WordPress releases released in the past nine years, including the latest version of WordPress (version 4.9.2).
Israeli security researcher Barak Tawily found that the vulnerability resides in the WordPress CMS built-in script “load-scripts.php” that handles user-defined requests.

For those who do not know, the load-scripts.php file is designed for admin users and helps the site improve performance and load pages faster by consolidating (on the server side) multiple JavaScript files into one request.

Depending on the plug-ins and modules you install, the load-scripts.php file optionally calls the required JavaScript files by passing the required JavaScript name into the “load” parameter, as the URL below Show:
https://your-wordpress-site.com/wp-admin/load-scripts.php?c=1&load=editor,common,user-profile,media-widgets,media-gallery
When loading a website, ‘load-scripts.php’ (mentioned at the top of the page) tries to find each of the JavaScript file names given in the URL, appends their content to a single file and sends it back to the user browser.

According to the researchers, you can simply force load-scripts.php to pass all the possible JavaScript files (181 scripts) to the URL above in one go, causing the target site to consume high CPU and server memory.

Read more…

A simple yet serious application-level denial of service (DoS) vulnerability has been discovered in WordPress CMS platform that could allow anyone to take down most WordPress websites even with a single machine—without hitting with a massive amount of bandwidth, as required in network-level DDoS attacks to achieve the same. Since the company has denied patching the issue, the vulnerability ( Engaging post, Read More…

thumbnail courtesy of thehackernews.com

If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post » Unpatched DoS Flaw Could Help Anyone Take Down WordPress Websites

Add a Comment

Your email address will not be published. Required fields are marked *