Recently, a critical vulnerability (CVE- 2018-6389) that can cause denial of service (DoS) attack on Wordpress websites has come to our attention. However, Nexusguard clients using our Application Protection solution on their Wordpress websites can be rest assured of negating all such WP website vulnerabilities, thanks to our Web Application Firewall (WAF).
This vulnerability stems from a glitch in the calling/loading of static files from the web server. The parameter “load” in two vulnerable modules, “load-styles.php” and “load-scripts.php”, under the “/wp-admin/” path permits the browser to call an array of JS/CSS files while the page is still loading.
When the browser needs to load multiple JS/CSS files, it will call load-scripts.php (for JS files) or load-styles.php (for CSS files) to request multiple files in one request. This feature was designed to save loading time for the sake of a better user experience.
One must note that “load-styles.php” and “load-scripts.php” modules are intended for admins only. However, the bug lies in the public login page, through which unauthorized users (attackers) make repeated requests to retrieve an excessive amount of JS/CSS files, thereby overwhelming server capabilities and making a website inaccessible.
Since one can repeatedly call load-scripts.php or load-styles.php to retrieve all 181 possible JS files and over 300 CS files respectively, server resources can be exhausted easily if multifarious file call requests are implemented simultaneously for either case.
Because “load-scripts.php” does not require authentication, any individual with basic hacking skills can go through the public login page to bring down any unguarded Wordpress site with a simple script. As with addressing other known Wordpress vulnerabilities, it is of prime importance that you have a reliable WAF in place to protect your Wordpress website.
Before we apply virtual patches, our security team can help you custom build a WAF rule-set to achieve the best mitigation results against this Wordpress vulnerability after baselining your site’s typical file request patterns and studying accessible JS/CSS libraries.
On the other front, we are currently fine-tuning our WAF engines. Hotfixes and updates will be made by way of virtual patching at a later stage.
Mitigation methods will include:
- Limiting the number of JS/CSS files permitted to be retrieved in a single request,
- Restricting accessible JS/CSS libraries,
- Looking at whether the URI path contains “load-styles.php” or “load-scripts.php” and
- Authenticating legitimate users by checking whether the session cookie of the browser sending out malicious requests contains a Wordpress cookie.
Meanwhile, our 24x7 SOC employs a dynamic mitigation strategy to determine under what circumstances the mitigation platform should consider that the login URL has been abused.
For more information, please read about Nexusguard’s Application Protection.