Cybersecurity researchers have disclosed a crucial safety flaw within the LiteSpeed Cache plugin for WordPress that might allow unauthenticated customers to achieve administrator privileges.
“The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain Administrator level access after which malicious plugins could be uploaded and installed,” Patchstack’s Rafie Muhammad stated in a Wednesday report.
The vulnerability, tracked as CVE-2024-28000 (CVSS rating: 9.8), has been patched in model 6.4 of the plugin launched on August 13, 2024. It impacts all variations of the plugin, together with and prior to six.3.0.1.
LiteSpeed Cache is without doubt one of the most generally used caching plugins in WordPress with over 5 million lively installations.
In a nutshell, CVE-2024-28000 makes it potential for an unauthenticated attacker to spoof their consumer ID and register as an administrative-level consumer, successfully granting them privileges to take over a susceptible WordPress website.
The vulnerability is rooted in a consumer simulation characteristic within the plugin that makes use of a weak safety hash that suffers from using a trivially guessable random quantity because the seed.
Particularly, there are just one million potential values for the safety hash attributable to the truth that the random quantity generator is derived from the microsecond portion of the present time. What’s extra, the random quantity generator shouldn’t be cryptographically safe and the generated hash is neither salted nor tied to a selected request or a consumer.
“This is due to the plugin not properly restricting the role simulation functionality allowing a user to set their current ID to that of an administrator, if they have access to a valid hash which can be found in the debug logs or through brute force,” Wordfence stated in its personal alert.
“This makes it possible for unauthenticated attackers to spoof their user ID to that of an administrator, and then create a new user account with the administrator role utilizing the /wp-json/wp/v2/users REST API endpoint.”
It is necessary to notice that the vulnerability can’t be exploited on Home windows-based WordPress installations as a result of hash technology perform’s reliance on a PHP methodology referred to as sys_getloadavg() that is not applied on Home windows.
“This vulnerability highlights the critical importance of ensuring the strength and unpredictability of values that are used as security hashes or nonces,” Muhammad stated.
With a beforehand disclosed flaw in LiteSpeed Cache (CVE-2023-40000, CVSS rating: 8.3) exploited by malicious actors, it is crucial that customers transfer rapidly to replace their cases to the newest model.
