Researchers recently uncovered a major XML vulnerability in WordPress that can take your website down. While most WordPress security issues in the past few years have revolved around issues in plugins and themes, this one lies at the core. The vulnerability is a classic case of the ever-popular denial of service (DoS) attack. In this case, the XMP parsers within the WordPress core are compelled to use up all the memory space allotted. This leaves the system with no scope to process any other request, rendering our sites completely unresponsive. Unlike regular security attacks that involve backdoors to allow attackers into our sites, this one wreaks havoc by simply taking your site down.
What is the attack all about?
The attack follows a method called XML Quadratic Blowup. A small XML file is used to disrupt the services on a machine in a matter of few seconds. The attack is very similar to the Billion Laughs Attack. However, in this case, it just repeats one large entity with tens of thousands of characters over and over again instead of using nested elements.
Look at the following snippet:
<!DOCTYPE DoS [
<!ENTITY a “xxxxxxxxxxxxxxxxx…”>
The attacker defines entity a to include 1000s of x and then refers to that entity 1000s of times within the DoS element. When the XML parser expands this file that is just a few KBs in size, we end up with data that spans many GBs in size. This is good enough to take down our websites.
Are you affected?
The issue affects all WordPress installations between 3.5 and 3.9. Yes, it includes the latest WordPress version too. You must upgrade to the patched version 3.9.2 immediately to protect your site from this vulnerability. Update now.