A DoS Flaw That Could Help Take Down WordPress Websites

Quite recently, a simple but serious application-level DoS (Denial of Service) flaw has been discovered in the WordPress CMS platform; this DoS vulnerability could help anyone take down most WordPress websites, even with a single machine. In fact, there won’t be any need to hit with a massive amount of bandwidth as is the case usually with network-level DDoS attacks.

A very notable thing about this WordPress vulnerability is that the company has denied patching the issue. Hence the vulnerability (CVE-2018-6389) continues to be unpatched and is affecting almost all versions of WordPress released in the last nine years. Well, the vulnerability, which has been discovered by Israeli security researcher Barak Tawily, affect even the latest stable release of WordPress (Version 4.9.2).

This WordPress vulnerability resides in the way “load-scripts.php,” (which is a built-in script in WordPress CMS) processes user-defined requests.

How load-scripts.php works

The load-scripts.php file is basically designed for admin users to help a website improve performance and load page faster. This is done by combining (on the server end) multiple JavaScript files into a single request. WordPress authors, however, did not keep any authentication in place, so as to make “load-scripts.php” work on the admin login page (wp-login.php) before login. Thus the feature is now accessible to anyone using WordPress.

The Hacker News explains, in a detailed report on the WordPress DoS flaw- “Depending upon the plugins and modules you have installed, the load-scripts.php file selectively calls required JavaScript files by passing their names into the “load” parameter, separated by a comma, like in the following URL:

https://your-wordpress-site.com/wp-admin/load-scripts.php?c=1&load=editor,common,user-profile,media-widgets,media-gallery

While loading the website, the ‘load-scripts.php’ (mentioned in the head of the page) tries to find each JavaScript file name given in the URL, append their content into a single file and then send back it to the user’s web browser.”

Researcher Barak Tawily, who had discovered the WordPress DoS flaw, explains how the flaw works to carry out a DoS attack, in detail, on his blog.

Barak Tawily also explains as to what happened when he contacted WordPress about the vulnerability; he writes- “WordPress has a bug bounty program, and I contacted them about this issue, even though I knew DoS vulnerabilities are out-of-scope, I reported it through HackerOne and explained the vulnerability, I thought they would understand that there is a security issue here and properly address it. After going back and forth about it a few times and my trying to explain and provide a PoC, they refused to acknowledge it and claimed that: “This kind of thing should really be mitigated at the server or network level rather than the application level, which is outside of WordPress’s control””.

WordPress’s response had left Barak Tawily frustrated, but he didn’t give up and came up with some effective solutions, which he has explained in detail on his blog.