WordPress site administrators have had a tough week. On Monday, February 5, 2018, the developers published a new version of the CMS (WordPress 4.9.3), which was supposed to eliminate a number of minor problems, but in the end accidentally messed up the automatic updates mechanism, which allows the CMS to update itself without user intervention.
Although the error was quickly noticed, and the very next day WordPress 4.9.4 was released that restores the normal operation of the automatic updates system, there was an obvious problem. The fact is that users whose update system is already broken did not receive an automatic fix in the form of WordPress 4.9.4, they may not even know about its existence. To install version 4.9.4, affected users need to initiate the update manually from the control panel.
Another bad news is the fact that both versions (4.9.3 and 4.9.4) still lack a patch for the CVE-2018-6389 vulnerability, which previously reported by independent Israeli information security specialist Barak Tawily.
Let me remind you that the critical DoS vulnerability is related to the operation of load-scripts.php. In fact, the bug allows you to “drop” almost any vulnerable site by sending it specially crafted requests.
The specialist warned that it is unlikely that it will be possible to “put” a WordPress site running on a powerful, separate server from one computer, however, if the attacker has a wide channel at his disposal or several bots, the attack will work against such a resource, and it will be less expensive for an attacker than a regular DDoS.
Although Tawaili notified the CMS developers about the problem, they did not consider the discovered vulnerability serious enough and said that such problems should be solved at the server or network level, but not at the application level. Judging by the absence of patches in versions 4.9.3 and 4.9.4, the decision of the developers has not changed yet.
At the same time, journalists from Bleeping Computer warn that proof-of-concept exploit for CVE-2018-6389 is freely available online (1, 2). Moreover, Imperva specialists prepared their own report, in which they fully agreed with the conclusions of Barak Tawaili and reported that WordPress sites are already under attack that exploit this bug.
Let me remind you that Tawaili published his own fork of WordPress on GitHub , in which the vulnerability is fixed. Also, the researcher posted in open access bash-script, which allows you to fix the problem in existing WordPress installations. Now there is another possible way around the problem: you can protect yourself from the vulnerability using ModSecurity.