Unpatched DoS Flaw Could Help Anyone Take Down WordPress Websites[thehackernews]

A simple yet serious application-level denial of service (DoS) vulnerability has been discovered in WordPress CMS platform that could allow anyone to take down most WordPress websites even with a single machine—without hitting with a massive amount of bandwidth, as required in network-level DDoS attacks to achieve the same.

Since the company has denied patching the issue, the vulnerability (CVE-2018-6389) remains unpatched and affects almost all versions of WordPress released in last nine years, including the latest stable release of WordPress (Version 4.9.2).

Discovered by Israeli security researcher Barak Tawily, the vulnerability resides in the way “load-scripts.php,” a built-in script in WordPress CMS, processes user-defined requests.