Unpatched Vulnerability Exposes WordPress Sites to Denial-of-Service Attacks

by Lucian Constantin on February 8, 2018

Attackers can render many WordPress websites unresponsive by exploiting an unpatched vulnerability in core modules that loads JS and CSS files to improve performance.

The issue stems from the “load” parameter in the load-styles.php and load-scripts.php modules that can be used to fetch an array of scripts when a page is loaded. Because these modules reside under the wp-admin folder, they are normally used on pages that require authentication, with the exception of the login page itself, which is normally available to unauthenticated users.

“A malicious user can repeatedly request an excessive list of JS/CSS files, causing the server to retrieve vast amounts of data—and in so—render it unresponsive,” researchers from web security firm Imperva warned in a blog post.

The issue was found by researcher Barak Tawily, who reported it to WordPress. However, he claims the developers don’t plan to fix it because they feel “this kind of thing should really be mitigated at the server or network level rather than the application level, which is outside of WordPress’s control.”

As a result, Tawily released his exploit publicly, together with a proposed fix that restricts access to the two files to authenticated users without affecting the wp-login.php page. However, the fix involves making changes to core WordPress files and could create problems down the road when applying future updates.

Sponsorships Available

“Until today (February 6, 2018), we have only seen a few dozen exploit attempts using this vulnerability, but we might see a steep rise in attacks using this exploit due to the popularity of the platform, unless a mitigation will be applied in the near future,” the Imperva researchers said.

One mitigation could be to restrict access to the two files based on IP address or to enable two-factor authentication for the wp-admin directory. Enforcing rate limits for the files could also stop exploitation attempts because they rely on requested the resources repeatedly in an attempt to keep the server busy.

Due to its popularity, the WordPress platform has been a common target for hackers over the years. However, most attacks focus on injecting malicious content into web pages, which can be monetized, rather than rendering the unavailable and immediately tipping off their administrators.

“Compared to many other WordPress vulnerabilities that allow attackers to take full control of the vulnerable website and even of the web server, this flaw is of a minor importance,” said Ilia Kolochenko, CEO of web security company High-Tech Bridge, via email. “I don’t think professional cybercriminals will leverage it in their hacking campaigns in the near future. Exploitation for ‘fun’ is, however, foreseeable but won’t have major consequences compared to other incidents.”

Police Operation Dismantles Large Card and Identity Fraud Forum

A U.S.-led cross-border law enforcement operation has dismantled a large online forum used for buying and selling stolen credit cards, personally identifiable information, malware and other illegal goods.

The U.S. Justice Department has charged 36 individuals for their role in running the forum, which was called Infraud. The forum ran since 2010 and had almost 11,000 members. Prosecutors have identified the forum’s creator as Svyatoslav Bondarenko, a 34-year-old man from Ukraine known online as Obnon, Rector and Helkern.

“During the course of its seven-year history, the Infraud Organization inflicted approximately $2.2 billion in intended losses, and more than $530 million in actual losses, on a wide swath of financial institutions, merchants, and private individuals, and would have continued to do so for the foreseeable future if left unchecked,” the DOJ said in a press release.

Thirteen of the 36 indicted individuals have been arrested with the help of authorities in six countries: Australia, the United Kingdom, France, Italy, Kosovo and Serbia. Law enforcement agencies from Albania and Luxembourg also helped with the investigation.

— Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin