DoS vulnerability
-
Hi team,
For my WordPress site, we have reported the DoS vulnerability for the “load-scripts.php” link, which transfers data with size of 5.13 MB in Firefox(we can see it on network tab using inspect option on Firefox). We have reported that an attacker sends 10000 response for the “load-scripts.php” link in quick time, then it loads 51.4gb of data from server, which leads Denial of Service attack to the server.
On the reported URL of my domain, I just changed the domain to “wordpress.com” and the output is same as my domain & it also transfers data with size of 5.13 MB in Firefox (same as of my site, only domain is different). So, for “WordPress.com” also, the link is available and it is attached below,
https://wordpress.com/wp-admin/load-scripts.php?load=react,react-dom,moment,lodash,wp-polyfill-fetch,wp-polyfill-formdata,wp-polyfill-node-contains,wp-polyfill-url,wp-polyfill-dom-rect,wp-polyfill-element-closest,wp-polyfill,wp-block-library,wp-edit-post,wp-i18n,wp-hooks,wp-api-fetch,wp-data,wp-date,editor,colorpicker,media,wplink,link,utils,common,wp-sanitize,sack,quicktags,clipboard,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,cropper,jquery,jquery-core,jquery-migrate,jquery-ui-core,jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,jquery-effects-clip,jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,jquery-effects-fold,jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate,jquery-effects-scale,jquery-effects-shake,jquery-effects-size,jquery-effects-slide,jquery-effects-transfer,jquery-ui-accordion,jquery-ui-autocomplete,jquery-ui-button,jquery-ui-datepicker,jquery-ui-dialog,jquery-ui-draggable,jquery-ui-droppable,jquery-ui-menu,jquery-ui-mouse,jquery-ui-position,jquery-ui-progressbar,jquery-ui-resizable,jquery-ui-selectable,jquery-ui-selectmenu,jquery-ui-slider,jquery-ui-sortable,jquery-ui-spinner,jquery-ui-tabs,jquery-ui-tooltip,jquery-ui-widget,jquery-form,jquery-color,schedule,jquery-query,jquery-serialize-object,jquery-hotkeys,jquery-table-hotkeys,jquery-touch-punch,suggest,imagesloaded,masonry,jquery-masonry,thickbox,jcrop,swfobject,moxiejs,plupload,plupload-handlers,wp-plupload,swfupload,swfupload-all,swfupload-handlers,comment-reply,json2,underscore,backbone,wp-util,wp-backbone,revisions,imgareaselect,mediaelement,mediaelement-core,mediaelement-migrate,mediaelement-vimeo,wp-mediaelement,wp-codemirror,csslint,esprima,jshint,jsonlint,htmlhint,htmlhint-kses,code-editor,wp-theme-plugin-editor,wp-playlist,zxcvbn-async,password-strength-meter,user-profile,language-chooser,user-suggest,admin-bar,wplink,wpdialogs,word-count,media-upload,hoverIntent,hoverintent-js,customize-base,customize-loader,customize-preview,customize-models,customize-views,customize-controls,customize-selective-refresh,customize-widgets,customize-preview-widgets,customize-nav-menus,customize-preview-nav-menus,wp-custom-header,accordion,shortcode,media-models,wp-embed,media-views,media-editor,media-audiovideo,mce-view,wp-api,admin-tags,admin-comments,xfn,postbox,tags-box,tags-suggest,post,editor-expand,link,comment,admin-gallery,admin-widgets,media-widgets,media-audio-widget,media-image-widget,media-gallery-widget,media-video-widget,text-widgets,custom-html-widgets,theme,inline-edit-post,inline-edit-tax,plugin-install,site-health,privacy-tools,updates,farbtastic,iris,wp-color-picker,dashboard,list-revisions,media-grid,media,image-edit,set-post-thumbnail,nav-menu,custom-header,custom-background,media-gallery,svg-painter
Please share the details to over come this issue. Are you applying any rate limit for above link( If yes, please share the procedure as well)? -
There is no need to worry about a site running on the wordpress.com platform. To quote a Staff member “All WordPress.com sites are well-protected and we continuously monitor potentially harmful activity to ensure there is no unauthorized access to your content.”
If you site is a self-hosted site, we can’t help. You must solve such problem yourself. Let’s hope your hosting company secured their servers well.
-
Hey there,
As mentioned, on these forums, we can only assist with WordPress.com related issues. Therefore, I wanted to remind you about the option to migrate your WordPress site to our servers.
The content alone can be moved by exporting from Tools > Export, and then imported as per these steps here: https://en.support.wordpress.com/import/ (Tools import). To get the storage you need, and to be able to use a custom primary domain, a paid plan would need to be in place: https://wordpress.com/pricing/
Alternatively, a site can be migrated into WordPress.com, as is – including all content, themes and plugins. We make the migration process easy with the WordPress.com Migration plugin, which you can find at this link: https://wordpress.org/plugins/wpcom-migration/.
A site being migrated into WordPress.com using this plugin would require a WordPress.com Business Plan.
We provide a fully managed hosting service with a custom server environment, specifically optimized for WordPress. This means you’ll benefit from built-in security measures, performance improvements, and in-house support to address any questions or concerns you may have.
Migrating your site to WordPress.com may initially seem like a daunting task, but the advantages of our fully managed hosting service outweigh the effort involved. With our optimized server environment and tailored version of WordPress, you’ll have access to the best possible hosting service for your WordPress website.
However, if you decide not to migrate your site to WordPress.com, don’t worry! We still want to ensure you receive the help you need. The open-source WordPress forums are available to provide support, where you can connect with experts in WordPress who are well-equipped to assist you with any issues you may encounter.
We hope this information is helpful. If you have any questions or concerns, please don’t hesitate to contact us. Thank you for considering WordPress.com as your hosting solution!
- The topic ‘DoS vulnerability’ is closed to new replies.
WordPress.com Forums 