Connect with us

Hi, what are you looking for?


Application Security

Drupal and WordPress Coordinate Security Updates to Fix DoS Flaw

For the first time ever, the security teams at Drupal and WordPress have worked together on addressing a remotely exploitable vulnerability that affects tens of millions of websites that use their publishing platforms.

For the first time ever, the security teams at Drupal and WordPress have worked together on addressing a remotely exploitable vulnerability that affects tens of millions of websites that use their publishing platforms.

The flaw, a denial-of-service (DoS) issue in PHP XML parsing, was reported to Drupal and WordPress by Nir Goldshlager, a senior security researcher at, and founder of Israel-based Break Security.

XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls, is utilized by both content management systems (CMSs). Because of a vulnerability in the PHP XML parser, an attacker can cause a website’s database to reach the maximum number of open connections, and the exhaustion of the CPU and memory, resulting in a denial of service state.

“This phenomenon is predicated on a well-known cyber attack, known as the XML Quadratic Blowup Attack. This is starkly different from the customary XML bomb exploitation, in the sense that it distorts the Memory Limit and MySQL, and Apache Max Clients works,” Goldshlager explained on the Break Security blog. “This bug can be utilized without the aid of any plugins, and it functions smoothly on the Default installation of WordPress and Drupal. Only one machine needed to exploit this vulnerability.”

XML Quadratic Blowup attacks are variations of XML Entity Expansion attacks. XML Quadratic Blowup is similar to a Billion Laughs attack, which is also known as an XML bomb or exponential entity expansion attack.

Cloud-based website performance and security services provider Incapsula has issued an emergency patch to protect its Web Application Firewall (WAF) customers against such attacks. The company points out the fact that this type of exploit doesn’t rely on recursion like a Billion Laughs attack, which makes it more difficult to detect and mitigate.

“This ability to avoid detection is what makes this recently discovered vulnerability so dangerous. It could be said that this exploit only ‘bends the rules’, without actually breaking them. This fact, combined with the extremely large number of affected sites and the high damage potential, makes this vulnerability a triple threat – widespread, crippling and hard to weed out,” Incapsula’s Igal Zeifman wrote in a blog post.

Advertisement. Scroll to continue reading.

The flaw has been fixed in WordPress with the release of version 3.9.2, and in Drupal with the release of versions 6.33 and 7.31. Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team produced a fix for the issue. The latest WordPress contains other security changes as well, but Drupal has rolled out the update only to fix the DoS vulnerability.

The vulnerability affects all WordPress and Drupal websites so users are advised to update their installations as soon as possible.

Goldshlager has published a video demonstrating a DoS attack against a WordPress website.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...