DDoS attack that affects all versions of WordPress
All versions of the last 9 years are vulnerable
Thehackernews.com website published a vulnerability last month that allows a simple but serious DDoS attack in WordPress. The vulnerability allows the attack to succeed even with a machine, without consuming a large amount of bandwidth.
The vulnerability (CVE-2018-6389) remains unpatched and affects almost all versions of WordPress published in the last nine years, including the latest stable version of WordPress (Version 4.9.4). Discovered by Israeli security researcher Barak Tawily, the vulnerability lies in loading the file “load-scripts.php”.
However, to make “load-scripts.php” work on the administrator login page (wp-login.php) before logging in, WordPress authors did not keep any authentication in place, which eventually made the function accessible to anyone.
How WordPress DDoS Attack works
“There is a well-defined list ($ wp_scripts), which users can request as part of the load  parameter. If the requested value exists, the server will perform an I / O reading action for a well-defined path associated with the value supplied by the user, “says Tawily.
Although a single application is not enough to tear down a whole website. Tawily used a test python script. This makes a large number of concurrent requests to the same URL in an attempt to use exhausting the server’s CPU resources.
The Hacker News has verified the authenticity of the DDoS exploit. Which left out service one of their test websites, which run on a medium VPS.
“It’s time to mention once again that load-scripts.php does not require any authentication, an anonymous user can do it. ~ After 500 requests, the server did not respond at all, or returned a 503 error, sometimes 502 or 504 “says Tawily.
However, the attack from a single machine, with a connection of 40 Mbps, was not enough to knock down another demonstration website on a dedicated server with high processing capacity and memory.
This does not mean that the failure is not effective against websites that run on a shared server. Such an attack generally requires much less packets and bandwidth to knock out the server. Therefore, attackers with more bandwidth or some bots can exploit attacking large and popular sites.
DDoS Attack Mitigation Guide
Along with full disclosure, Tawily has also provided a video demonstration of the DDoS attack. You can watch the following video to see the attack in action:
DDoS vulnerabilities are beyond the reach of the WordPress bug rewards program. In any case Tawily responsibly reported this vulnerability to the WordPress team, through HackerOne. However, the company refused to acknowledge the problem. He also said that this error “should be mitigated at the level of the server or the network, instead of the application.”
The vulnerability seems to be serious because WordPress is the CMS present in 29% of all existing web pages. This places millions of websites vulnerable to cyber attacks.
For websites that can not afford the services that offer protection against a DDoS attack in the application layer, the researcher has provided a bifurcated version of WordPress, which includes mitigation against this vulnerability.
In addition to this, the researcher has also launched a simple script bash that solves the problem, in case you have already installed WordPress.