5
CVSSv2

CVE-2018-6389

Published: 06/02/2018 Updated: 01/03/2019
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 484
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Summary

In WordPress up to and including 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.

Vulnerability Trend

Affected Products

Vendor Product Versions
WordpressWordpress4.9.2

Exploits

# EDB Note: python doserpy -g 'localhost/wp-admin/load-scriptsphp?c=1&load%5B%5D=eutil,common,wp-a11y,sack,quicktag,colorpicker,editor,wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,prototype,scriptaculous-root,scriptaculous-builder,scriptaculous-dragdrop,scriptaculous-effects,scr ...

Mailing Lists

WordPress load-scriptsphp denial of service exploit ...

Github Repositories

PoC - CVE-2018-6389 Proof of Concept of vunerability CVE-2018-6389 on Wordpress 492

Shiva First of all, put Shiva on watch I will be upgrading it to a full stress testing suite over time Shiva is designed to perform Denial Of Service (DOS) attack on wordpress sites by loading all jquery scripts at once through load-scriptsphp So basically its an exploit for CVE-2018-6389 Awesomeness Shiva uses multithreading to bring down websites as soon as possible, Yo

WordPress-CVE-2018-6389 WordPress Core - 'load-scriptsphp' Denial of Service <= 494 Date: 05/02/2018 Software Link: WordPress Version: <= 494 Tested on: KaLi Linux 20181 CVE: CVE-2018-6389 Discovered by: Barak Tawily Exploit by: Javier Olmedo HOW TO USE? Clone this repository git clone githubcom/JJavierOlmedo/wordpress-cve-2018-6389git G

modsecurity-cve-2018-6389 A ModSecurity ruleset for detecting potential attacks using CVE-2018-6389 For more information, see wwwrastatingcom/protecting-wordpress-against-cve-2018-6389/

WP-DOS-Exploit-CVE-2018-6389 This is a exploit of Wordpress DOS attack CVE 2018-6389 #USE python3 wp-dos(CVE-2018-6389)py domain threads #Example python3 wp-dos(CVE-2018-6389)py examplecom 1000

CVE-2018-6389 Wordpress Exploit CVE-2018-6389 Exploit Can Down Any Wordpress site under 493 The flaw affects the load-scriptsphp WordPress script, it receives a parameter called load[] About PoC A simple Script In Python With threading could allow anyone to take down most WordPress websites with single machine Info Can Down Any Website with Tested Wordpress versions Teste

cve-2018-6389 Twitter: twittercom/Ja7adR Telegram: tme/Ja7adR

wordpress_cve-2018-6389 Tries to exploit a WordPress vulnerability (CVE-2018-6389) which can be used to cause a Denial of Service WARNING: This software does not perform DoS on vulnerable targets; it executes one HTTP GET call only to check if the vulnerability is present This software is written to have no external dependencies DISCLAIMER This tool is intended for security

CVE-2018-6389 WordPress DoS (CVE-2018-6389) Reference baraktawilyblogspotjp/2018/02/how-to-dos-29-of-world-wide-websiteshtml How to DoS Start WordPress $ docker-compose up -d Pulling wordpress (wordpress:493) 493: Pulling from library/wordpress e7bb522d92ff: Pull complete 3a3976cecfa7: Pull complete Digest: sha256:2f74e7f98dfa9c66a6d5523c67b22830b8f4a88c

trellis-cve-2018-6389 Mitigate CVE-2018-6389 WordPress load-scripts / load-styles attacks Goal Why? Mitigation Why Not? Requirements Installation Trellis WordPress FAQs Can I use this on managed hosting? It looks awesome Where can I find some more goodies like this? This isn't on wporg Where can I give a review? Alternatives Testing Syntax Check Author I

cve-2018-6389-php-patcher Patch Wordpress DOS breach (CVE-2018-6389) in PHP Place patcherphp in WordPress root directory Request yourwordpresscom/patcherphp Delete patcherphp Source : wwwsecuremydatafr/patch-de-la-faille-cve-2018-6389-dos-wordpress/

PoC - CVE-2018-6389 Proof of Concept of vunerability CVE-2018-6389 on Wordpress 492 This vulnerability lets a remote unauthenticated attacker to cause DoS of a Wordpress based web application Presentazione: docsgooglecom/presentation DoSer Python Tool usage: mydoser_getpy [-h] [-t THREADS] [-u URL] Sending unlimited requests to perform DoS attack optional arguments:

wordpress-fix-cve-2018-6389 Apache RewriteRule to mitigate potential DoS attack via Wordpress wp-admin/load-scriptsphp file Initial disclosure by Barak Tawily: baraktawilyblogspotin/2018/02/how-to-dos-29-of-world-wide-websiteshtml

CVE-2018-6389 exploit for Wordpress sites A small DOS script targeting an unpatched vulnerability in wordpress sites Uses /wp-admin/load-scriptsphp to request additional scripts from hosting server Includes large list of scripts as request payload This implementation is for testing purposes only Usage python wpdospy -t 5000 -g 'wwwwordpresswebsitecoza&#

wordpress-CVE-2018-6389 Metasploit module for WordPress DOS load-scriptsphp CVE-2018-638

CVE-2018-6389 PoC node js multisite with proxy Този скрипт е базиран на CVE-2018-6389, доста коварен проблем на Wordpress, който за жалост вероятно няма да бъде отстранен от екипа, който разработва платформата въпреки, че е известен от дост

wordPressDOSPOC Usage: /launchsh target-wordpress-installation-you-ownfoobar | #number of requests | #seconds to sleep after each wave a proof of concept based on wwwvulnspycom/en-cve-2018-6389-wordpress-denial-of-service-dos-vulnerability/ I'm sure there 398234 better implementations in python, give or take a few, I'm just playing around with bas

wordPressDOSPOC Usage: /launchsh target-wordpress-installation-you-ownfoobar | #number of requests | #seconds to sleep after each wave a proof of concept based on wwwvulnspycom/en-cve-2018-6389-wordpress-denial-of-service-dos-vulnerability/ I'm sure there 398234 better implementations in python, give or take a few, I'm just playing around with bas

Tools Cyber Security Tools SecToolsOrg: Top 125 Network Security Tools List of SecToolsOrg: Top 125 Network Security Tools - For more than a decade, the Nmap Project has been cataloguing the network security community's favorite tools Kali Tools Kali Tool List - Kali Linux Tools Listing Multi-paradigm Frameworks Metasploit - Software for offensive security teams t

CVE-Wordpress Collection

Offensive Dockerfiles Security-oriented Docker containers, ready to fire! This repository contains a collection of security-oriented tools as Dockerfiles This makes it easy to deploy various mission dependent tools using common cloud providers (AWS, Azure, Linode) The containers are built using Docker Each container is made to suit required dependencies for

Project 7 WordPress Pentesting Time spent: 10 hours in total Pentesting Report (Required) Vulnerability Name is Cross-site scripting Summary: Vulnerability types: Cross site scripting Tested in version: 42 Fixed in version: 475 GIF Walkthrough: Steps to recreate: I logged into wordpress as adminwpdistilleryvm/wp-admin I went to a page I created In the c

Week-7-Alternative-Assignment-wp-cve 5 vulnerabilities using WordPress – Common Vulnerabilities and Exposure 1) CVE-2018-5776 WordPress before 492 had XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement) Publish Date : 2018- 01-18, Last Update Date : 2018-02-01 • How the exploit was found According to CVE Details – The ultim

WordPress codepath week seven Presentation on week7 EXPOIT 1:- Vulnerabilty CVE-2015-3440 WP version: 42 Remediation; Update to version: 475 Steps to exploit creat some post on the blog and logout visit the blog let go to the post and add a comment, and your coment shloud include xss <svg/onload-alert('XSS')> 1 Then view page source to confirm c

CodePathweek7 Project 7 - WordPress Pentesting Time spent: 5 hours spent in total Objective: Find, analyze, recreate, and document five vulnerabilities affecting an old version of WordPress Pentesting Report Exploit 1 CVE-2016-4566 Upload Same Origin Method Execution (SOME) Summary: Vulnerability types: Same Origin Method Execution (SOME) Tested in version: 42 Fixed in

CSCI4349 Week 9: Honeypot MANUAL HONEYPOT SETUP git clone this repo git clone githubcom/harrystaley/CSCI4349_Week9_Honeypot open your terminal application and execute the following command vagrant up vagrant ssh wich should bring you to a new terminal prompt on your newly created linux box cd /vagrant initialize google cloud gcloud init login and instert the name o

Awesome Stars A curated list of my GitHub stars! Generated by starred Contents ASP Arduino Assembly AutoHotkey AutoIt Batchfile BitBake Bro C C# C++ CSS CoffeeScript Dockerfile Emacs Lisp Erlang Game Maker Language Go HTML Haskell Java JavaScript Jupyter Notebook KiCad Kotlin Logos Lua M Makefile Markdown Mask

Project 7 - WordPress Pentesting Time spent: 12 hours spent in total Objective: Find, analyze, recreate, and document five vulnerabilities affecting an old version of WordPress Pentesting Report WordPress <= 42 - Unauthenticated Stored Cross-Site Scripting (XSS) Summary: Vulnerability types: XSS Tested in version: 42 Fixed in version: 421 Exploit Database 3684

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :