Recently, a significant application-level denial of service (DoS) vulnerability has been uncovered in the WordPress content management system (CMS). This flaw allows an attacker to incapacitate numerous WordPress sites using a single machine without the need for extensive bandwidth typically associated with distributed denial of service (DDoS) strategies.
The vulnerability, designated as CVE-2018-6389, affects nearly all versions of WordPress released over the past nine years, including the most recent stable version, WordPress 4.9.2. Despite its potential seriousness, the company has opted not to release a patch, leaving millions of websites susceptible to exploitation.
Discovered by Israeli security researcher Barak Tawily, the vulnerability is embedded in “load-scripts.php,” a core script designed to optimize website performance by consolidating multiple JavaScript files into a single request. However, in an oversight, WordPress has exempted this script from requiring authentication on the login page (wp-login.php), inadvertently rendering it accessible to anyone.
The load-scripts.php script operates by selectively calling required JavaScript files based on parameters passed in the URL. For instance, a request could look like this:
https://your-wordpress-site.com/wp-admin/load-scripts.php?c=1&load=editor,common,user-profile,media-widgets,media-gallery
Upon receiving such a request, the script assembles the specified JavaScript files into a single response, sending it to the user’s browser.
Tawily’s research indicates that an attacker could exploit this capability by requesting all available JavaScript files—totaling 181 scripts—at once, consuming excessive CPU and memory resources of the target server. This action could slow down or even effectively disable the website for legitimate users.
As Tawily points out, while a single request may not immediately incapacitate a website, the malicious actor could leverage a proof-of-concept (PoC) python script, named doser.py, which generates numerous concurrent requests. This tactic aims to exhaust the target server’s CPU resources. The Hacker News has verified the effectiveness of this exploit, noting that it successfully disrupted a demo WordPress site hosted on a mid-tier VPS.
Despite varying levels of server capacity, the vulnerability presents risks across the board. Load-scripts.php does not necessitate authentication, meaning even an unauthenticated user could initiate these requests. Tawily observed that after approximately 500 requests, the test server became unresponsive, returning 502, 503, or 504 errors. Conversely, a more robust dedicated server was less susceptible to this specific attack due to its high processing capabilities.
This application-layer vulnerability poses a considerable threat as it allows for targeted attacks against widely-utilized WordPress sites that manage significant traffic. For those unable to invest in DDoS protection measures, Tawily has provided a forked version of WordPress embedded with mitigative features against this vulnerability. Nevertheless, caution is advised in deploying modified CMSs.
To further assist those concerned, the researcher has developed a straightforward bash script intended to rectify the issue for existing WordPress installations. It is imperative for website owners to remain vigilant as vulnerabilities of this nature expose them to substantial risks, given that WordPress currently powers approximately 29% of all websites worldwide.
Alongside the vulnerability disclosure, Tawily expressed concern over WordPress’s non-responsiveness to his report. The company has stated that this type of flaw should be mitigated at the server or network level rather than through application-level measures within WordPress’s domain. As this vulnerability continues to endanger millions of sites, business owners must assess their cybersecurity postures in light of this ongoing threat.
In summary, should you operate a WordPress site, consider evaluating your server’s capacity and the implementation of protective measures against application-layer attacks, as they demand far fewer resources to execute compared to traditional network-level attacks.