Unpatched DoS Flaw Could Help Anyone Take Down WordPress Websites


loving life
Jan 2, 2006
Not a good day for Wordpress users..

A simple yet serious application-level denial of service (DoS) vulnerability has been discovered in WordPress CMS platform that could allow anyone to take down most WordPress websites even with a single machine—without hitting with a massive amount of bandwidth, as required in network-level DDoS attacks to achieve the same.

Since the company has denied patching the issue, the vulnerability (CVE-2018-6389) remains unpatched and affects almost all versions of WordPress released in last nine years, including the latest stable release of WordPress (Version 4.9.2).

Discovered by Israeli security researcher Barak Tawily, the vulnerability resides in the way "load-scripts.php," a built-in script in WordPress CMS, processes user-defined requests.

For those unaware, load-scripts.php file has only been designed for admin users to help a website improve performance and load page faster by combining (on the server end) multiple JavaScript files into a single request.
more info: https://thehackernews.com/2018/02/wordpress-dos-exploit.html


Aug 26, 2010
Version 4.9.3, one release on from what's been detailed in that article introduced a 'severe' bug which causes sites that support automatic background updates to fail to update automatically. Version 4.9.4 just released fixes that bug. Good job we all regularly check our WordPress sites to ensure automatic updates are working... :cautious:

I only mention this just in case there's a fix issued for the vulnerability above and you have automatic updates running because you ain't gonna get it :eek: