New 0-Day WordPress Exploit

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    (Sips more coffee, makes skeptical noises.)

    That’s not really a vulnerability in WordPress and here’s why: any DoS attack is background noise. Harmful background noise if it’s your server, but still background noise.

    Anyone can write a script and knock down any single server. It’s ~2 minutes of work to do if you type slowly. Apache2 comes with a great load tester that if you ramp up the threads and simultaneous requests, then BAM! unresponsive server.

    Now a real vulnerability would be if flooding that WordPress file with info caused it to crash and execute arbitrary code that the attacker planned. Once an attacker can do that, you’ve got a real problem on your hands. The worm that went around hitting pre-2.8.4 code? Now that was a vulnerability.

    I just wanted to mention that the jarraltech.com post is plagiarized from https://www.stevefortuna.com/new-0-day-wordpress-exploit/

    And I disagree. Some overlooked code in WordPress is the cause for being able to overload a server. While you may be able to flood the server with requests to slow it down/overload it, you can’t call a function that actually uses up CPU and memory to overload it.

    All it takes is a handful of requests to essentially shut down a server.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Well, it looks like it’s about to be addressed in the trunk.

    See https://core.trac.www.ads-software.com/ticket/10980 for more info.

    Edit: also see https://core.trac.www.ads-software.com/changeset/12057

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘New 0-Day WordPress Exploit’ is closed to new replies.