Denial of service in WordPress

Published: 2018-02-05 | Updated: 2018-02-09
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-6389
CWE ID CWE-400
Exploitation vector Network
Public exploit N/A
Vulnerable software WordPress Subscribe
Vendor WordPress.ORG

Security Advisory

This security advisory describes one low risk vulnerability.

1) Resource exhaustion

Severity: Low

CVSSv3: 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-6389

CWE-ID: CWE-400 - Uncontrolled Resource Consumption ('Resource Exhaustion')

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the server-side static file loading mechanism due to the way a built-in script in WordPress CMS "load-scripts.php" processes user-defined requests. A remote attacker can send force load-scripts.php to call all possible JavaScript files, consume high CPU and server memory and cause the service to crash.

Mitigation

Update to version 4.9.3.

Vulnerable software versions

WordPress: 3.4.0, 3.4.1, 3.4.2, 4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.15, 4.0.16, 4.0.17, 4.0.18, 4.0.19, 4.0.20, 4.0.21, 4.1, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.1.10, 4.1.11, 4.1.12, 4.1.13, 4.1.14, 4.1.15, 4.1.16, 4.1.17, 4.1.18, 4.1.19, 4.1.20, 4.1.21, 4.2, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 4.2.12, 4.2.13, 4.2.14, 4.2.15, 4.2.16, 4.2.17, 4.2.18, 4.3, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 4.3.10, 4.3.11, 4.3.12, 4.3.13, 4.3.14, 4.4, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.4.11, 4.4.12, 4.4.13, 4.5, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.6, 4.5.7, 4.5.8, 4.5.9, 4.5.10, 4.5.11, 4.5.12, 4.6, 4.6.1, 4.6.2, 4.6.3, 4.6.4, 4.6.5, 4.6.6, 4.6.7, 4.6.8, 4.6.9, 4.7, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 4.7.7, 4.7.8, 4.8, 4.8.1, 4.8.2, 4.8.3, 4.8.4, 4.9, 4.9.1, 4.9.2

CPE External links

https://thehackernews.com/2018/02/wordpress-dos-exploit.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



ImmuniWeb® AI Platform for Application Security Testing