On February 5, 2018, security researchers disclosed a DoS vulnerability affecting all 3.x-4.x versions of WordPress. A malicious attacker can consume server resources by having WordPress load multiple JavaScript files in a single request, which causes a DoS attack on the target server.

WAF is not affected by this vulnerability. However, if your website uses WordPress, we recommend that you add protection rules to increase the security of your business.

Description

This vulnerability is found in the load-scripts.php file. load-scripts.php is a built-in script in the WordPress CMS. The load-scripts.php file selectively calls required JavaScript files by passing their names into the load parameter. The names are separated with commas (,).

For example, in this request: https://example.com/wp-admin/load-scripts.php?c=1&load[]=jquery-ui-core,editor&ver=4.9.1, JavaScript files jquery-ui-core and editor are loaded.

Therefore, all 181 JavaScript files defined in the script-loader.php file can be loaded in a single request. A malicious attacker can send a large number of requests without authorization, which results in increased server load and DoS attacks.

Protection tips

We recommend that you use HTTP ACL policies and custom HTTP flood protection to protect your WordPress website.

  • You can add access control rules to restrict the number of parameters passed to the load-scripts.php file. For example, you can add the following rule to restrict the length of the parameter passed to load-scripts.php to up to 50 characters.

  • You can also use custom HTTP flood protection to restrict the frequency at which IP addresses can send requests to the load-scripts.php. For example, you can add the following rule to restrict the frequency at which an IP address sends requests to load-scripts.php to up to 100 times per 5 seconds.

For more information about access control rules and custom HTTP flood protection, see HTTP ACL policy and Custom HTTP flood protection.