A DoS Flaw That Could Help Take Down WordPress Websites just4validru, cvv4youcc
Quite recently, a simple but serious application-level DoS (Denial of Service) flaw has been discovered in the WordPress CMS platform; this DoS vulnerability could help anyone take down most WordPress websites, even with a single machine. In fact, there won’t be any need to hit with a massive amount of bandwidth as is the case usually with network-level DDoS attacks.
A very notable thing about this WordPress vulnerability is that the company has denied patching the issue. Hence the vulnerability (CVE-2018-6389) continues to be unpatched and is affecting almost all versions of WordPress released in the last nine years. Well, the vulnerability, which has been discovered by Israeli security researcher Barak Tawily, affect even the latest stable release of WordPress (Version 4.9.2).
This WordPress vulnerability resides in the way “load-scripts.php,” (which is a built-in script in WordPress CMS) processes user-defined requests.
How load-scripts.php works
Researcher Barak Tawily, who had discovered the WordPress DoS flaw, explains how the flaw works to carry out a DoS attack, in detail, on his blog .
Barak Tawily also explains as to what happened when he contacted WordPress about the vulnerability; he writes- “WordPress has a bug bounty program, and I contacted them about this issue, even though I knew DoS vulnerabilities are out-of-scope, I reported it through HackerOne and explained the vulnerability , I thought they would understand that there is a security issue here and properly address it. After going back and forth about it a few times and my trying to explain and provide a PoC, they refused to acknowledge it and claimed that: “This kind of thing should really be mitigated at the server or network level rather than the application level, which is outside of WordPress’s control””.
WordPress’s response had left Barak Tawily frustrated, but he didn’t give up and came up with some effective solutions, which he has explained in detail on his blog .