WordPress Vulnerability: DoS flaw could bring down your site
 

WordPress isn’t going to patch it, either…
WordPress is the most popular Content Management System (CMS) in the entire world. In fact, WordPress powers 29% of the web. That’s why it’s alarming the company isn’t going to patch a DoS vulnerability that, when exploited, could easily bring down an entire website.

Let’s start back at the beginning.

Israeli research Barak Tawily discovered a vulnerability (CVE-2018-6389) in the way that “load-scripts.php” processes user-defined requests. “load-scripts.php” is a built-in script that was designed for users with admin permissions to help improve website performance and page load speeds by combining JavaScript files into a single request.

To do this, “load-scripts.php” calls the required JavaScript files by passing their names into its load parameter. Once it’s called every JavaScript file in a given URL it sends them back in a single file.

That’s a lot to untangle, maybe this comparison will help. This script acts kind of like a project manager would: they manage a bunch of different inputs from different team members, then organize it into one coherent document before presenting it to management.

see more at

https://goo.gl/kfcALs

So in short Wordpress don't care about security and therefore there is nothing anyone can do about it?

Nothing has changed their, they have never cared about security in the past, but this time they have openly stated they wont patch this

Wow that's careless on whole another level for a software vendor do do just that. :uhh:

Yea, unfortunately, that's the truth. :/

While investigating our client's issue, we have seen so many abandoned plugins that are currently available for installation from the WordPress plugin repository that appear to have vulnerabilities that have not been fixed. The interesting fact is those plugins have not been modified for 2 years or more and some of them have thousands of active installs. LOL

Yikes indeed! :uhh:

Look at e107 several years ago they have a vulnerability that could not only hack into installations, but allowed hackers into the full server the installs were on which they knew about and refused to patch for it. It took many of the sites using e107 to get hacked and taken down before they patched it, but like me many hosts still wont allow e107 installations on their servers

The sad reality of the WordPress! :( Though there are number of security plugins, there are no new patch available which causes the very serious security issues.

That is why WordPress sites become the victim of hackers. :/

it is a constant battle to get clients to upgrade to latest versions of any script (not just WP) as they dont understand the security implications.

That is why auto installers tend to have an auto update setting option on the admin as well as the client side.

That way that clients who just press install and think that it "all set" will actually get this. If you set it to auto update by default.

Other than that those who will "uncheck" it will likely know "hey updates are my problem now". Otherwise I would politely advise them to keep their installs up to date.

Now of course plugins/themes are still a "problem" but generally that is under the "okay if I install this then I need to keep this updated".

sometimes the autoupdate does not work, i normally issue a mass emails of outdated scripts to inform members to update and if they dont after 7 days i will update all these scripts

I absolutely agrees that automated is and never will be "prefect". That is why no provider should just "set it and forget it". :)

Thanks for the heads up. I guess I need to read up some more as I think I just read this morning that the percentage was 59% and not 29%. Not sure where I saw that.

https://w3techs.com/technologies/det...dpress/all/all

states

Its a dark truth of WordPress. It is less secure then others. We should be careful if website is on WordPress. They have some plugins for security purpose but they are also not enough.