A new zero-day vulnerability has been discovered in WordPress (CVE-2018-6389).
If the PATH “/wp-admin/” is left open, WordPress is vulnerable to malicious actors exploiting this vulnerability to a perform denial of service attack (DoS).
The attack is fairly simple to execute, an unskilled attacker could use the existing public exploit to take down almost any unprotected site, and since WordPress holds a large share of blog hosting, this vulnerability is severe. So far, there have been a few dozen attempts to exploit reported in the wild.
Oracle Dyn recommends updating Access Control list to the WordPress Admin path on all versions of WordPress to limit exposure in addition to Oracle Dyn WAF for protection. Also, since essential WordPress modules are vulnerable to this exploit, you may not be able to blacklist/whitelist, as that might break the blog login page.Oracle Dyn has developed a WAF rule to address this issue for customers.