WordPress Core Vulnerability February 2018

March 1, 2018
WP Security: WordPress Core vulnerabilities October

For your , be informed about the latest WordPress Core vulnerability IS STILL UNPATCHED since it's first official report January 29, 2018 or it's official disclosure date: Monday, February 5, 2018. All versions of WordPress starting with the latest 4.9.4 and below have the Application Denial of (DoS) type vulnerability.

A simple yet serious application-level denial of (DoS) vulnerability has been discovered in WordPress CMS platform that could allow anyone to take down most WordPress websites even with a single machine—without hitting with a massive amount of bandwidth, as required in network-level DDoS attacks to achieve the same. According to the researcher, one can simply force load-scripts.php to call all possible JavaScript files (i.e., 181 scripts) in one go by passing their names into the attack URL.

Unauthenticated attackers can cause a denial of (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times. Limited resources include:

  • Memory
  • File system storage
  • Database connection pool entries
  • CPU

If an attacker can trigger the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could cause a denial of that consumes all available resources. This would prevent valid users from accessing the WordPress website, and it could potentially have an impact on the surrounding hosting environment. For example, a memory exhaustion attack against an application could slow down the application as well as its host operating system.

Protect your WordPress!

BEFORE IT'S TOO LATE! You will also your customers, your reputation and your online business.

No comments

Leave a Reply

Your email address will not be published.

WordPress Core Vulnerability February 2018

by Csaba Miklós time to read: 3 min
Share this on:
Share this on: