A crucial vulnerability within the LiteSpeed Cache WordPress plugin can let attackers take over tens of millions of internet sites after creating rogue admin accounts.
LiteSpeed Cache is open-source and the preferred WordPress website acceleration plugin, with over 5 million energetic installations and assist for WooCommerce, bbPress, ClassicPress, and Yoast search engine marketing.
The unauthenticated privilege escalation vulnerability (CVE-2024-28000) was discovered within the plugin’s person simulation characteristic and is brought on by a weak hash examine in LiteSpeed Cache as much as and together with model 6.3.0.1.
Safety researcher John Blackbourn submitted the flaw to Patchstack’s bug bounty program on August 1. The LiteSpeed crew developed a patch and shipped it with LiteSpeed Cache model 6.4, launched on August 13.
Profitable exploitation allows any unauthenticated guests to achieve administrator-level entry, which can be utilized to fully take over web sites working susceptible LiteSpeed Cache variations by putting in malicious plugins, altering crucial settings, redirecting visitors to malicious web sites, distributing malware to guests, or stealing person information.
“We were able to determine that a brute force attack that iterates all 1 million known possible values for the security hash and passes them in the litespeed_hash cookie — even running at a relatively low 3 requests per second — is able to gain access to the site as any given user ID within between a few hours and a week,” defined Patchstack safety researcher Rafie Muhammad on Wednesday.
“The only prerequisite is knowing the ID of an Administrator-level user and passing it in the litespeed_role cookie. The difficulty of determining such a user depends entirely on the target site and will succeed with a user ID 1 in many cases.”
Whereas the event crew launched variations that handle this crucial safety vulnerability final Tuesday, obtain statistics from WordPress’ official plugin repository present that the plugin has solely been downloaded simply over 2.5 million instances, seemingly leaving greater than half of all web sites utilizing it uncovered to incoming assaults.
Earlier this yr, attackers exploited a LiteSpeed Cache unauthenticated cross-site scripting flaw (CVE-2023-40000) to create rogue administrator customers and achieve management of susceptible web sites. In Could, Automattic’s safety crew, WPScan, warned that menace actors began scanning for targets in April after seeing over 1.2 million probes from only one malicious IP handle.
“We strongly advise users to update their sites with the latest patched version of Litespeed Cache, version 6.4.1 at the time of this writing, as soon as possible. We have no doubts that this vulnerability will be actively exploited very soon,” Wordfence menace intel lead Chloe Chamberland additionally warned at the moment.
In June, the Wordfence Risk Intelligence crew additionally reported {that a} menace actor backdoored a minimum of 5 plugins on WordPress.org and added malicious PHP scripts to create accounts with admin privileges on web sites working them.
