Serious DoS flaw spotted in WordPress platform - affects most versions

News by Rene Millman

Vulnerability so simple, anyone could use it. Security researchers have discovered a flaw in open source CMS WordPress that would allow a hacker to take down a website through a DoS attack with a single machine.

Security researchers have discovered a flaw in open source CMS WordPress that would allow a hacker to take down a website through a DoS attack with a single machine.

According a blog post, Israeli security researcher Barak Tawily said the flaw can be found in how "load-scripts.php," a built-in script in WordPress CMS, processes user-defined requests.

The flaw exists in almost all versions of WordPress released in last nine years, including the latest one (Version 4.9.2). When the “load-scripts.php” WordPress script receives a parameter called load[] with value is ‘jquery-ui-core'. In the response, the CMS provides the JS module ‘jQuery UI Core' that was requested.

The script was designed for WordPress admins and allows to load multiple JavaScript files into a single request. However, Tawily found that it is possible to call the function before login allowing anyone to invoke it.

Depending on the plugins and modules installed on a website, the load-scripts.php file selectively calls essential JavaScript files by passing their names into the "load" parameter, separated by a comma.

When the website is loading, this script attempts to find all JavaScript file name given in the URL, append content into a single file and then send back it to the user's browser.

Tawily said that a hacker could just simply force load-scripts.php to call all possible JavaScript files at once by adding these file names into a URL. This would then slow the website down, consuming processor cycles and server memory.

"There is a well-defined list ($wp_scripts), that can be requested by users as part of the load[] parameter. If the requested value exists, the server will perform an I/O read action for a well-defined path associated with the supplied value from the user,” said Tawily.

While a single request would not overload a webserver, Tawily showed how a proof-of-concept (PoC) python script, called could make many concurrent requests and take down a server.

“Load-scripts.php does not require any authentication, an anonymous user can do so. After ~500 requests, the server didn't respond at all any more, or returned 502/503/504 status code errors,” added Tawily.

The researcher contacted WordPress through HackerOne over the flaw. He said that after going back and forth about it a few times and trying to explain and provide a PoC, they refused to acknowledge it and claimed that: "This kind of thing should really be mitigated at the server or network level rather than the application level, which is outside of WordPress's control."

“So if you are currently using, or are about to use, WordPress, I would highly recommend you use the patched version,” he added.

Lee Munson, security researcher for, told SC Media UK that given no patch is available, or likely to be any time soon, the onus appears to be on bloggers to arrange their own DDoS protection through their web hosts, “something that may be beyond the budgets of hobbyists and newly started businesses”.

"With over a quarter of the sites on the web running on WordPress, it may be time for low traffic bloggers to consider an alternative content management system for their wordsmithing."

Ben Herzberg, head of threat research at Imperva said that this new vulnerability effectively renders the Wordpress core susceptible to DoS attacks. 

“Due to its simplicity, a low skill attacker can utilise the existing public exploit to take down any unprotected Wordpress site. This is extremely serious considering 29 percent of websites and 60 percent of CMS worldwide are Wordpress based. Wordpress sites can protect against the attack by restricting access to the vulnerable resources, or capping the rate in which their clients can access these resources.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews