edit-icon download-icon

[Vulnerability notice] CVE-2018-6389: DoS vulnerability in all versions of WordPress

Last Updated: Apr 08, 2018

Recently, WordPress has published the DoS vulnerability (CVE-2018-6389) that affects all versions of WordPress. This vulnerability exists in almost all versions of WordPress released in the last nine years, including the latest one, version 4.9.2. The PoC demo video and a script that fixes this vulnerability have been released. However, the WordPress team refused to acknowledge this vulnerability.

WordPress is widely used. If you have installed WordPress, we recommend that you keep yourself updated with this vulnerability and check whether your WordPress is affected.

See the following for more information about the vulnerability.


CVE identifier

CVE-2018-6389

Vulnerability name

DoS vulnerability in all versions of WordPress

Vulnerability rating

High

Vulnerability description

This vulnerability is an application-level DoS issue, which exists in the load-scripts.php script. The load-scripts.php file is designed for WordPress administrators and allows to load multiple JavaScript files into a single request. Technical analysis shows that the function can be called by anyone before logon. A massive data is returned even if a small amount of data is provided in requests. This causes resource consumption on the server, resulting in DoS attacks.

Condition and method of exploitation

The vulnerability can be remotely exploited through PoC.

PoC Status

Published

Affected scope

WordPress <= 4.9.2

Vulnerability detection

Check whether any affected version of WordPress is used.

How to fix or mitigate

  • The patch scripts have been released. You can test and fix the WordPress based on your website’s business situation.

  • We recommend that you upgrade your WordPress to the latest version immediately.

Note: Perform a test and make a snapshot on your ECS instance to back up data before the upgrade.

Reference

[1]. https://baraktawily.blogspot.in/2018/02/how-to-dos-29-of-world-wide-websites.html

Thank you! We've received your feedback.