Akamai Diversity

Akamai Security Intelligence
& Threat Research

Wordpress DoS Attack: CVE-2018-6389


On February 5, an Israeli security researcher, Barak Tawily, discovered a Denial of Service (DoS) attack impacting all 3.x-4.x versions of the Wordpress content management platform.  The vulnerability is currently unpatched and relies on a performance boosting feature in Wordpress allowing Javascript and style sheets to be loaded in bulk via a single request. The attack does not affect the Akamai platform, but it does affect any customers using Wordpress unless proper protections are enabled.



The vulnerability is found in 'load-scripts.php', a script in the Wordpress core code that processes user defined requests. There is speculation by the Akamai SIRT that this vulnerability also can be found in 'load-styles.php', but we have not confirmed this attack vector.

These two script files are used to load web page content by searching for each file listed as a comma separated parameter, for example:



Where the .js file being load is jquery-ui-core. There are 181 .js scripts defined in script-loader.php that can be appended to the above string in order to load all 181 scripts in a single request. This doesn't require any authentication and while a single request isn't enough to cause too much load on a server, a script requesting many per second could be.


Akamai recommends using our rate control feature to block multiple requests from the same IP address specific to the load-scripts.php and load-style.php paths. A custom rule can also be created to limit the number of arguments passed to either of those scripts. Check with your Akamai account team on enabling a rule for your configuration.