WordPress CVE-2018-6389 – DoS

There is a DoS vulnerability in all WP installations. It is hidden in the load-scripts.php and load-styles.php files. Their purpose is to combine scripts and styles in the administration to load the admin faster.

You can ask them to combine a huge amount of files, the result will be a huge load and it may kill your webserver.

There is an unofficial patch or you can limit the size of requests for load scripts:

For Apache

RewriteCond %{REQUEST_URI} ^/+wp-admin/+load-(scripts|styles)\.php$
RewriteCond %{QUERY_STRING} load\[\]=(.{800,})$
RewriteRule ^(.*)$ – [F,L]

For Nginx

#block load-scripts|styles.php requests with long argument list
#CVE-2018-6389 impact mitigation
if ($request_uri ~* "^/+wp-admin/+load-(scripts|styles)\.php\?.{800,}$"){
return 403;

Question is: Do you still need it in the age of HTTP/2?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s