Multiple Bots and High Bandwidth Could Utilize WordPress Vulnerability

Started by gnh73, Jul 30, 2022, 01:26 AM

Previous topic - Next topic

gnh73Topic starter

It is crucial to understand that exploiting this vulnerability without consent from the website owner is illegal.

 The WordPress CMS platform has a severe application layer denial-of-service (DoS) vulnerability, which enables any user to bring down most WordPress sites, even with just one machine, without requiring a vast number of computers as required by DDoS attacks.

The vulnerability (CVE-2018-6389) affects nearly all WordPress versions released over the last nine years, including the latest stable version, and remains unpatched since the WordPress Foundation refused to fix it. Israeli security researcher Barak Tawily discovered the vulnerability in the "load-scripts.php" embedded script in WordPress CMS, which was designed for administrators to help improve site performance and page loading speed.

However, the feature is accessible to everyone without authentication, making it possible for hаckers to slow down target sites, cause high CPU and memory cost on servers, and attack popular WordPress websites using more bandwidth or multiple bots. Despite being outside the WordPress bug bounty application's scope, Tawily reported the DoS vulnerability to the WordPress team responsibly.


To resolve this issue, you can simply block access to the path and redirect access to the old path through rewrites, symlinks, try_files, etc. However, this solution may not be effective if the links include something like "/xхxxхxxхxхx", which is considered hardcore.

It is worth noting that not only load-scripts.php is located in the wp-admin folder, but also admin-ajax.php. Ajax comes through admin-ajax.php from the user. Security plugins or some other plugins may cause a request for a password to pop up for guests, although it may not happen with a bare engine. If this issue had been addressed earlier, everything would have been secured by now.


I believe that approximately one-third of websites cannot be hosted on WordPress due to long parallel requests, such as those in a home page URL with random parts. Additionally, some sites may require higher hosting fees. During load testing of one project, 700 threads were used from one virtual machine, causing response times to increase from seconds to tens of seconds.

This delay is unacceptable for most users, resulting in a significant drop in website traffic. Furthermore, there could be notifications for administrators on 5xx errors and a decline in audience from 1500 people during the day to 150 people at night. This may not concern all admins, and even the sales department of an e-commerce store may not immediately notice. The overall situation regarding security is concerning.