1) vulnerability description
WordPress allows users to load multiple JS files and CSS files through load-scripts.php files at once. For example, https://wpwebsite.com/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-ui-core,editor&ver=4.9.1, file load-scripts.php will load jquery-ui-core and editor files automatically and return the contents of the file.
However, the number and size of files are not restricted in the process of loading JS files, attackers can use this function to deplete server resources and launch denial of service attacks.
(check references for more details about the vulnerability) 2) attack details
*affected link : http://blog.praca.olx.pl/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-ui-core&ver=4.9.1
*proof of concept ( description );
*proof of concept ( link ) ; http://blog.praca.olx.pl/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-ui-core&ver=4.9.1
3) how to fix
The web application firewall will mitigate attacks by adding the following to .htaccess -file:
Order allow, deny
Deny from all
4) vulnerability classification:
*owasp 2017 top 10 (A9 Using Components with Known Vulnerabilities )
*CVE( Common Vulnerabilities and Exposures ) : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
Denial of service