WordPress, one of the most popular content management systems in the world is rendered vulnerable to yet another vulnerability capable of bringing down an entire WordPress powered system. Statistically powering nearly 29% of the web, an unattended WordPress vulnerability breeds serious consequences for businesses and websites.
The WordPress DoS Vulnerability
The vulnerability (CVE-2018-6389) was discovered by Israeli researcher Barak Tawily. According to Tawily, the flaw can be found in how “load-scripts.php” processes user-defined requests. Designed for users with admin permissions, “load-scripts.php” is a built-in script to aid in the improvement of website’s performance and page load speeds by combining JavaScript files into a single request.
While the script was designed for WordPress admins allowing them to load multiple JavaScript files into a single request, the vulnerability exploit will allow anyone to invoke it by calling the function before login.
Generally, the load-scripts.php file works by selectively calling essential JavaScript files by passing their names into the “load” parameter. When the website is loading, this script attempts to find all JavaScript file name given in the URL, append content into a single file and then send back it to the user’s browser.
But according to Tawily, a hacker could simply force load-scripts.php to call all possible JavaScript files at once by adding these file names into a URL. The consequence being website slowdowns due to excessive processor cycles and server memory consumption.
Video Courtesy: baraktawily.blogspot.in
The above video is a Proof of Concept given by Tawily. In this, he creates a proof-of-concept (PoC) python script, called doser.py could make many concurrent requests and take down a server.
How to Mitigate WordPress DoS flaw?
While WordPress refuses to acknowledge the flaw and believes that should be mitigated at the server level, this vulnerability is simple enough to be exploited and bring down complete websites. Since 60 percent of CMS worldwide are WordPress based, the flaw ought to be taken seriously. It is highly advised to use a patched up version of the CMS. In case of use of a WordPress website on a Linux machine, this bash script created by Tawily modifies the relevant files in order to mitigate the vulnerability.
Worried about the security of your WordPress Website? Take a look at Astra’s WordPress security package to mitigate against online attacks.