Scroll Top

WordPress Core Vulnerability February 2018


For your WordPress protection, be informed about the latest WordPress Core vulnerability IS STILL UNPATCHED since it’s first official report January 29, 2018 or it’s official disclosure date: Monday, February 5, 2018. All versions of WordPress starting with the latest 4.9.4 and below have the Application Denial of Service (DoS) type vulnerability.

A simple yet serious application-level denial of service (DoS) vulnerability has been discovered in WordPress CMS platform that could allow anyone to take down most WordPress websites even with a single machine—without hitting with a massive amount of bandwidth, as required in network-level DDoS attacks to achieve the same. According to the researcher, one can simply force load-scripts.php to call all possible JavaScript files (i.e., 181 scripts) in one go by passing their names into the attack URL.

Unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times. Limited resources include:

  • Memory
  • File system storage
  • Database connection pool entries
  • CPU

If an attacker can trigger the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could cause a denial of service that consumes all available resources. This would prevent valid users from accessing the WordPress website, and it could potentially have an impact on the surrounding hosting environment. For example, a memory exhaustion attack against an application could slow down the application as well as its host operating system.

Protect your WordPress: BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!

Related Posts