![]() |
WordPress Vulnerability: DoS flaw could bring down your site
WordPress isn’t going to patch it, either…
WordPress is the most popular Content Management System (CMS) in the entire world. In fact, WordPress powers 29% of the web. That’s why it’s alarming the company isn’t going to patch a DoS vulnerability that, when exploited, could easily bring down an entire website. Let’s start back at the beginning. Israeli research Barak Tawily discovered a vulnerability (CVE-2018-6389) in the way that “load-scripts.php” processes user-defined requests. “load-scripts.php” is a built-in script that was designed for users with admin permissions to help improve website performance and page load speeds by combining JavaScript files into a single request. To do this, “load-scripts.php” calls the required JavaScript files by passing their names into its load parameter. Once it’s called every JavaScript file in a given URL it sends them back in a single file. That’s a lot to untangle, maybe this comparison will help. This script acts kind of like a project manager would: they manage a bunch of different inputs from different team members, then organize it into one coherent document before presenting it to management. see more at https://goo.gl/kfcALs |
Quote:
|
Quote:
|
Quote:
|
Yea, unfortunately, that's the truth. :/
While investigating our client's issue, we have seen so many abandoned plugins that are currently available for installation from the WordPress plugin repository that appear to have vulnerabilities that have not been fixed. The interesting fact is those plugins have not been modified for 2 years or more and some of them have thousands of active installs. LOL |
Quote:
|
Look at e107 several years ago they have a vulnerability that could not only hack into installations, but allowed hackers into the full server the installs were on which they knew about and refused to patch for it. It took many of the sites using e107 to get hacked and taken down before they patched it, but like me many hosts still wont allow e107 installations on their servers
|
The sad reality of the WordPress! :( Though there are number of security plugins, there are no new patch available which causes the very serious security issues.
That is why WordPress sites become the victim of hackers. :/ |
Quote:
|
Quote:
That way that clients who just press install and think that it "all set" will actually get this. If you set it to auto update by default. Other than that those who will "uncheck" it will likely know "hey updates are my problem now". Otherwise I would politely advise them to keep their installs up to date. Now of course plugins/themes are still a "problem" but generally that is under the "okay if I install this then I need to keep this updated". |
Quote:
|
Quote:
|
Thanks for the heads up. I guess I need to read up some more as I think I just read this morning that the percentage was 59% and not 29%. Not sure where I saw that.
|
Quote:
states Quote:
|
Its a dark truth of WordPress. It is less secure then others. We should be careful if website is on WordPress. They have some plugins for security purpose but they are also not enough.
|
All times are GMT -6. The time now is 06:25 PM. |
Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Search Engine Friendly URLs by vBSEO 3.1.0