View Single Post


Old
  Post #2 (permalink)   02-05-2018, 02:19 PM
Harv45
HD Master
 
Join Date: Apr 2015
Posts: 291

Status: Harv45 is online now
Quote:
Originally Posted by easyhostmedia View Post
WordPress isn’t going to patch it, either…
WordPress is the most popular Content Management System (CMS) in the entire world. In fact, WordPress powers 29% of the web. That’s why it’s alarming the company isn’t going to patch a DoS vulnerability that, when exploited, could easily bring down an entire website.

Let’s start back at the beginning.

Israeli research Barak Tawily discovered a vulnerability (CVE-2018-6389) in the way that “load-scripts.php” processes user-defined requests. “load-scripts.php” is a built-in script that was designed for users with admin permissions to help improve website performance and page load speeds by combining JavaScript files into a single request.

To do this, “load-scripts.php” calls the required JavaScript files by passing their names into its load parameter. Once it’s called every JavaScript file in a given URL it sends them back in a single file.

That’s a lot to untangle, maybe this comparison will help. This script acts kind of like a project manager would: they manage a bunch of different inputs from different team members, then organize it into one coherent document before presenting it to management.

see more at

https://goo.gl/kfcALs
So in short Wordpress don't care about security and therefore there is nothing anyone can do about it?