On February 5, 2018, a security researcher disclosed a denial-of-service (DoS) vulnerability in WordPress. The vulnerability affects all versions of WordPress from 3.x to 4.x. Attackers can trigger a DoS attack and consume server resources by using WordPress to load multiple JavaScript files in a single request.

WAF is not affected by this vulnerability. However, if your website business uses WordPress, we recommend that you configure appropriate protection rules.

Vulnerability description

This vulnerability is found in the load-scripts.php file. load-scripts.php is the built-in script of WordPress, a Content Management System (CMS) system. The load-scripts.php file selectively calls required JavaScript files by passing their names into the load parameter. The names are separated with commas (,).

For example, in the request of https://example.com/wp-admin/load-scripts.php?c=1&load[]=jquery-ui-core,editor&ver=4.9.1, JavaScript files jquery-ui-core and editor are loaded.

All 181 JavaScript files defined in the script-loader.php file can be loaded in a single request. An attacker can send a large number of requests without authorization, and this results in increased server load and triggers DoS attacks.

Protection recommendations

We recommend that you use the custom protection policy and HTTP flood protection features provided by WAF to protect your WordPress website.

  • You can use the custom protection policy feature to restrict the number of parameters passed by load-scripts.php. For example, you can add the following rule to restrict the length of the parameter passed by load-scripts.php to up to 50 characters.Create a rule
  • You can also use the custom HTTP flood protection feature to restrict the frequency at which IP addresses can send requests to the load-scripts.php file. For example, you can add the following rule to restrict the frequency at which an IP address sends requests to the load-scripts.php file to up to 100 times per 5 seconds.Create a rule

For more information about the custom protection policy and custom HTTP flood protection features, see Custom protection policy and HTTP flood protection.