Automattic: CPU utilization 99% on visiting wordpress site url & open redirect found

ID H1:129091
Type hackerone
Reporter csanuragjain
Modified 2017-07-23T10:30:48


Working POC for making CPU 99% for wordpress user + Login to wordpress account + Visit any of the below url's which are sent by attacker to victim (since these are wordpress url so victim will accept & open) 1. 2. 3. + Check your CPU usage in task manager. It would go to 99% as shown in attached. + This happens since these pages continues to send unlimited requests to + Unlimited request are send since I think the variable holding the Post id cannot hold a value as long as 20000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 which throws an exception. + Problem: User CPU goes 99% causing the browser to go very very slow & unresponsive. Negative impact on customer.

Working POC for open redirect + Access wordpress using url + After login you will be redirected to which is incorrect. Wordpress should not allow redirecting to external websites like google,yahoo. + Problem: In future if there is any bug in these external site then this open redirect from wordpress could cause harm to users.