Website administrators working under WordPress have had a tough week. On Monday, WordPress developers published a new version of the CMS (WordPress 4.9.3), which was supposed to fix a number of minor problems, but accidentally disabled the automatic updates, function that allows WordPress to be updated independently, without user intervention.
Although the error was quickly noticed, and the next day WordPress 4.9.4 was released fixing the automatic update system, an obvious problem arose. Strangely, users who have already updated the faulty WordPress version, did not receive an automatic correction in the form of WordPress 4.9.4. They may not even know about its existence.
To install the latest version 4.9.4, you need to initiate the update manually, from the control panel.
Another bad news is the fact that in both versions (4.9.3 and 4.9.4) there is still no patch for the CVE-2018-6389 vulnerability, which was previously reported by independent security specialist Barak Tawily.
Let me remind you that a critical DoS vulnerability is related to load-scripts. In fact, the bug allows you to “drop” almost any vulnerable WordPress site by sending specially crafted requests.
He even created a proof-of-concept exploit: a simple doser.py script written in Python. The script sends a lot of similar requests to the destination URL. After about 500 requests, the average site running on the VPS server stops responding, showing only errors 502, 503 and 504.
Also Barak Tawily warned that one computer can hardly “take down” a WordPress-running website hosted on a powerful, private server. However, if the attacker has a wide channel or several bots, the attack will work against such a resource, and will be less expensive than a normal DdoS hack.
Fix Automatic WordPress Updates
WordPress developers did not find the vulnerability serious enough and reported that it is necessary to solve such problems at the server or network level, not at the application level. Judging by the lack of patches in the versions 4.9.3 and 4.9.4, the issue has remained unchanged.
As a response Tawaili published his own WordPress version on GitHub, in which the vulnerability was eliminated. Also, the researcher laid out an open-source bash script that allows you to fix the problem in existing WordPress installations. Now there’s another possible workaround: and you can protect against the vulnerability using ModSecurity.