The specialist notes that from one computer it is unlikely that it will be possible to “put” a working computer under managing a WordPress site located on a powerful, separate server, however, if the attacker has a wide channel or several bots at his disposal, the attack will work against such a resource, and it will turn out to be less costly for the attacker than a regular DDoS.
A video demonstration of the attack can be seen below.
Although DoS vulnerabilities are not covered by the WordPress bug bounty program, Tawaili still reported the problem to developers through the HackerOne platform. Unfortunately, the creators of WordPress did not consider the discovered vulnerability serious enough and said that such problems need to be addressed at the server or network level, but not at the application level. That is, there is no patch for this bug. In response To this, Barak Tawaily published his own fork of WordPress on GitHub, in which the vulnerability was fixed. Also, the researcher posted in the public domain bash-script, which allows you to fix the problem in existing WordPress installations . xaker.ru