A serious application level denial-of-service (DoS) vulnerability has been discovered in the WordPress CMS platform that potentially can take down most WordPress websites without the need of attacking with a massive amount of bandwidth, as usually required in DoS attacks.

 

Since WordPress itself did not provide (to date) a patch, the vulnerability (CVE-2018-6389) remains and has an affect on most versions of WordPress including WordPress version 4.9.2 which is its most stable and latest release.

 

The vulnerability resides in the way “load-scripts.php” processes user-defined requests.
The file load-scripts.php was designed for admin users in order to improve performance and load pages faster which is done by combining multiple JavaScript files into a single request.

 

Apparently, WordPress developers did not create authentication for requesting the file before logging into the admin section, which makes the feature accessible to the entire world! 🙁

 

If you access your unpatched WordPress site via the following URL you will see the vulnerability in action (a bunch of JS files separated by commas):

 

https://unpatched-wordpress.com/wp-admin/load-scripts.php?c=1&load=editor,common,user-profile,media-widgets,media-gallery

 

The attacker can force “load-scripts.php” to call all of the existing JavaScript files by a single request through passing their names into the example URL. This action will cause a slow growth of CPU and memory consumption on the server.

 

A single request might not be enough for most servers, but if large amounts of concurrent requests are made to the same URL it might take the server down.

 

The company running WordPress says that this vulnerability should get mitigated at the server end and not on the application level. This leaves WordPress website owners that don’t have Anti DDoS protection having to deal with it themselves.

 

In order to fix it by yourself you should have SSH access to your WordPress base directory, download the following script and run it: wp-dos-patch.sh

 

If you don’t have SSH access to the servers, you should ask your hosting provider to run it for you.

 

In any case, make sure that you have a complete backup of your website before applying the script. With JetBackup you can also create a DR Clone just incase something goes wrong and you need a quick recovery of your website.