Yesterday we had a beg bounty attempt emailed to us for one of our WordPress based websites. It seems worth sharing what is going on with that for those not familiar with security. Here was the email:
Hello support teams,
I hope this email finds you well. I am Devansh.I am a security researcher and I am writing to bring to your attention a critical security vulnerability that I have discovered on your website.
Name of Vulnerability: wp-cron.php visible publicly file leads to dos attack full server down
Vulnerable Instances: server based dos
Website: https://[domain name]/wp-cron.php
Description: The wp-cron.php file is publicly accessible so this file gives full access to the attacker for performing dos attack . Attacker can make unlimited requests to server within a minute which leads to potential dos attack on server.
Steps to Reproduce:
1. Go to the website with wp-cron.php path
2. Copy url and use a python based tool (exploit of this bug ) for this
3. Tool Link https://github.com/Quitten/doser.py
4) type this command in terminal python3 doser.py -t 999 -g {website with wp-cron.php path here}
Impact: An attacker can perform a denial-of-service attack (DoS attack) on a web server .
An attacker can make unlimited requests within a minute .This affects the whole server outage over the globe. It’s not only application level dos.mitigation : hide the wp-cron.php file for public
Please consider this as an urgent matter and prioritize the resolution of this vulnerability . if you require any additional information or assistance. Do let me know
Proof of Concept: Do let me know if you need the video poc for performing the dos
Thank you for your attention to this matter, and I look forward to hearing from you soon.
Sincerely,
Devanshplease note : I did not perform any dos attack on the website just informing that there is a path which should be hidden.
What is wrong with that?
First, denial-of-service (DoS) isn’t a type of vulnerability, but a type of attack. A DOS or distributed DoS (DDOS) attack involves causing a website to stop functioning by sending requests to the website that overwhelm the server (or servers) that handle the website. This could involve sending requests that cause high resource usage for each request, sending many requests, or a combination of those two things.
The “security researcher” that contacted us doesn’t understand the difference between a vulnerability and an attack. The difference is important here, since a DOS attack can impact a website even if it is secure, just by sending too many requests for the website to handle. If someone were to be targeted with that type of attack, the solution is usually use a DOS mitigation service that can process all the requests before they get to the website’s server. If there was something on the website that was unnecessarily resource intensive that could be abused in a DoS attack, fixing that would be a good idea.
The claim was that a WordPress file was vulnerable, though the person writing us didn’t mention WordPress. The file, wp-cron.php, handles WordPress cron system. That is, it handles running scheduled tasks for WordPress. Say, checking if there is an update that should be applied to software on the website. It is intended to be publicly accessible. That isn’t a security risk.
You can restrict access to it to only the IP address that makes requests to it from the server, but you don’t have to.
The final issue with that is that their proof of concept involved sending 999 requests to the file on the website at once. That could cause a website to stop functioning no matter what is requested, unless the server is designed to handle that level of load.
Why are you receiving an email like that?
Emails like that are referred to as beg bounties based on the people sending them asking for money if you engage them further on this. Well, at least if you don’t explain to them that they have gotten things wrong. Here is the response we sent to them:
Denial of service isn’t a vulnerability, but if you think you have found a vulnerability in WordPress, which is what that file is part of, you can find information on reporting that at https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/
The response back was:
Thank you for the information.
Not New
This particular claim about DoS with wp-cron.php isn’t new. Someone made a similar claim to the US Department of Defense in February 2023. There also was someone on Medium.com promoting this in October 2023.
Need Real WordPress Security Help?
If you are in need of a real security checkup of a WordPress website, we provide those.