Internet Performance Delivered right to your inbox

New Zero-Day Discovered in WordPress: CVE-2018-6389

A new zero-day vulnerability has been discovered in WordPress (CVE-2018-6389).

If the PATH “/wp-admin/” is left open, WordPress is vulnerable to malicious actors exploiting this vulnerability to a perform denial of service attack (DoS).

The vulnerability exists due to a flaw in the server-side static file loading mechanism. The argument “load” in the modules “load-styles.php” and “load-scripts.php” are vulnerable. Both residing under the PATH “/wp-admin/”, accept an array of JavaScriptS & CSS filenames to fetch while the page is loading, causing the vulnerability.

The load-scripts.php or load-styles.php files were designed for admin users to help improve performance by concatenating multiple JavaScript files into a single request.

The attack is fairly simple to execute, an unskilled attacker could use the existing public exploit to take down almost any unprotected site, and since WordPress holds a large share of blog hosting, this vulnerability is severe. So far, there have been a few dozen attempts to exploit reported in the wild.

Oracle Dyn recommends updating Access Control list to the WordPress Admin path on all versions of WordPress to limit exposure in addition to Oracle Dyn WAF for protection. Also, since essential WordPress modules are vulnerable to this exploit, you may not be able to blacklist/whitelist, as that might break the blog login page.Oracle Dyn has developed a WAF rule to address this issue for customers.


Share Now

Whois: Rebecca Carter

Rebecca Carter is a Product Marketing Manager at Oracle Dyn Global Business Unit, a pioneer in managed DNS and a leader in cloud-based infrastructure that connects users with digital content and experiences across a global internet.