Denial of Service vulnerability in self hosted wordpress 3.5.1

A vulnerability in the latest wordpress version has been discovered by a security researcher Krzysztof Katowicz-Kowalewski.

The professional claims that the vulnerability allows a denial of service attack.

“The vulnerability is caused due to an error when calculating the hash cycle count within the “crypt_private()” method in /wp-includes/class-phpass.php and can be exploited to exhaust CPU and memory resources by sending HTTP requests with a specially crafted password cookie.” – secunia

However, successful exploitation requires the knowledge of the URL for a password-protected post.

Secunia confirmed the vulnerability in WordPress version 3.5.1 and other versions may also be affected. It also added that, there is still no official solution currently available.

According to the security researcher, he has disclosed the security bug since he got no response from WordPress security team after a week of notification.

Check complete details here.