By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
10alert.com10alert.com
  • Threats
    • WordPress ThreatsDanger
    Threats
    A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber threats include…
    Show More
    Top News
    What is a rootkit and how to remove it
    8 months ago
    The Mask – Unveiling the World’s Most Sophisticated APT Campaign
    8 months ago
    Regin APT Attacks Among the Most Sophisticated Ever Analyzed
    8 months ago
    Latest News
    Safeguards against firmware signed with stolen MSI keys
    2 days ago
    WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
    2 days ago
    Wordfence Intelligence Weekly WordPress Vulnerability Report (May 15, 2023 to May 21, 2023)
    7 days ago
    Wordfence Firewall Blocks Bizarre Large-Scale XSS Campaign
    1 week ago
  • Fix
    Fix
    Troubleshooting guide you need when errors, bugs or technical glitches might ruin your digital experience.
    Show More
    Top News
    For 0-day vulnerabilities in Windows, temporary patches
    8 months ago
    Windows 11 22H2 (build 22621.317) outs in the Release Preview Channel
    8 months ago
    How to avoid problems installing Windows 11 22H2
    8 months ago
    Latest News
    How automatically delete unused files from my Downloads folder?
    4 months ago
    Now you can speed up any video in your browser
    4 months ago
    How to restore access to a file after EFS or view it on another computer?
    4 months ago
    18 Proven Tips to Speed Up Your WordPress Site and Improve SEO | 2023 Guide
    5 months ago
  • How To
    How ToShow More
    What is two-factor authentication | Kaspersky official blog
    3 days ago
    Acer refreshes Windows 11 PCs for work and play: Swift Edge 16 and Predator Triton 16
    5 days ago
    NVIDIA GeForce RTX 4080 New Mercury Editions of Razer Blade 16 and Blade 18 now available
    5 days ago
    How Oxy uses hooks for maximum extensibility
    How Oxy uses hooks for maximum extensibility
    6 days ago
    The personal threat landscape: securing yourself smartly
    6 days ago
  • News
    News
    This category of resources includes the latest technology news and updates, covering a wide range of topics and innovations in the tech industry. From new…
    Show More
    Top News
    Amazing free and open-source program for screenshot or record any area of your screen ShareX.
    8 months ago
    Popular Convert Plus Plugin Vulnerability Exploit
    8 months ago
    Windows 11 to boost game load times with DirectStorage 1.1 GPU decompression
    8 months ago
    Latest News
    How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
    3 days ago
    How to enable Taskbar End Task option to close apps on Windows 11
    3 days ago
    How to check USB4 devices specs from Settings on Windows 11
    3 days ago
    How to enable new header UI for File Explorer on Windows 11
    1 week ago
  • Glossary
  • My Bookmarks
Reading: WordPress update broke auto-updates feature
Share
Notification Show More
Aa
Aa
10alert.com10alert.com
  • Threats
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
  • Threats
    • WordPress ThreatsDanger
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
Follow US
Wordpress Threats

WordPress update broke auto-updates feature

Tom Grant
Last updated: 10 October
Tom Grant 2 years ago
Share
4 Min Read

WordPress site administrators have had a tough week. On Monday, February 5, 2018, the developers published a new version of the CMS (WordPress 4.9.3), which was supposed to eliminate a number of minor problems, but in the end accidentally messed up the automatic updates mechanism, which allows the CMS to update itself without user intervention.

Although the error was quickly noticed, and the very next day WordPress 4.9.4 was released that restores the normal operation of the automatic updates system, there was an obvious problem. The fact is that users whose update system is already broken did not receive an automatic fix in the form of WordPress 4.9.4, they may not even know about its existence. To install version 4.9.4, affected users need to initiate the update manually from the control panel.

Another bad news is the fact that both versions (4.9.3 and 4.9.4) still lack a patch for the CVE-2018-6389 vulnerability, which previously reported by independent Israeli information security specialist Barak Tawily.

Let me remind you that the critical DoS vulnerability is related to the operation of load-scripts.php. In fact, the bug allows you to “drop” almost any vulnerable site by sending it specially crafted requests.

Tawaily discovered that an attacker could force load-scripts.php to load all available JavaScript files at all by simply listing them in the URL. Because of this, the attacked site can start to work much slower, absorbing more and more server power. Of course, with a single such request, an attacker will not be able to provoke a denial of service, but the researcher created a proof-of-concept exploit: a simple doser.py script written in Python. The script sends many similar requests to the target URL. After about 500 requests, the average site running on a VPS server stops responding at all, “giving” only errors 502, 503 and 504.

The specialist warned that it is unlikely that it will be possible to “put” a WordPress site running on a powerful, separate server from one computer, however, if the attacker has a wide channel at his disposal or several bots, the attack will work against such a resource, and it will be less expensive for an attacker than a regular DDoS.

Although Tawaili notified the CMS developers about the problem, they did not consider the discovered vulnerability serious enough and said that such problems should be solved at the server or network level, but not at the application level. Judging by the absence of patches in versions 4.9.3 and 4.9.4, the decision of the developers has not changed yet.

At the same time, journalists from Bleeping Computer warn that proof-of-concept exploit for CVE-2018-6389 is freely available online (1, 2). Moreover, Imperva specialists prepared their own report, in which they fully agreed with the conclusions of Barak Tawaili and reported that WordPress sites are already under attack that exploit this bug.

Let me remind you that Tawaili published his own fork of WordPress on GitHub , in which the vulnerability is fixed. Also, the researcher posted in open access bash-script, which allows you to fix the problem in existing WordPress installations. Now there is another possible way around the problem: you can protect yourself from the vulnerability using ModSecurity.


Source: xaker.ru

Translate this article

TAGGED: DoS, PoC, Security, WordPress
Tom Grant October 10, 2022 October 31, 2021
Share this Article
Facebook Twitter Reddit Telegram Email Copy Link Print

STAY CONECTED

24.8k Followers Like
253.9k Followers Follow
33.7k Subscribers Subscribe
124.8k Members Follow

LAST 10 ALERT

Safeguards against firmware signed with stolen MSI keys
Threats 2 days ago
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
Wordpress Threats 2 days ago
How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
News 3 days ago
How to enable Taskbar End Task option to close apps on Windows 11
News 3 days ago
How to check USB4 devices specs from Settings on Windows 11
News 3 days ago

Recent Posts

  • Safeguards against firmware signed with stolen MSI keys
  • WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
  • How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
  • How to enable Taskbar End Task option to close apps on Windows 11
  • How to check USB4 devices specs from Settings on Windows 11

You Might Also Like

Threats

Safeguards against firmware signed with stolen MSI keys

2 days ago
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
Wordpress Threats

WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin

2 days ago
News

How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11

3 days ago
How To

What is two-factor authentication | Kaspersky official blog

3 days ago
Show More

Related stories

How to Use Cloudflare to Secure Your WordPress Site
How To Starting Chrome from the command line
How to fix error 0x80070057 in Chrome?
Windows 10 How To Disable Slide to Shutdown
Windows search not working (FIX)
How to watch movies and TV series for free on Kinopoisk?
Previous Next

10 New Stories

What is two-factor authentication | Kaspersky official blog
Acer refreshes Windows 11 PCs for work and play: Swift Edge 16 and Predator Triton 16
NVIDIA GeForce RTX 4080 New Mercury Editions of Razer Blade 16 and Blade 18 now available
How Oxy uses hooks for maximum extensibility
The personal threat landscape: securing yourself smartly
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 15, 2023 to May 21, 2023)
Previous Next
Hot News
Safeguards against firmware signed with stolen MSI keys
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
How to enable Taskbar End Task option to close apps on Windows 11
How to check USB4 devices specs from Settings on Windows 11
10alert.com10alert.com
Follow US

© 10 Alert Network. All Rights Reserved.

  • Privacy Policy
  • Contact
  • Customize Interests
  • My Bookmarks
  • Glossary
Go to mobile version
adbanner
AdBlock Detected
Our site is an advertising supported site. Please whitelist to support our site.
Okay, I'll Whitelist
Welcome Back!

Sign in to your account

Lost your password?