Cybercriminals Target Outdated LiteSpeed Cache Plugin to Gain Control of WordPress Sites
May 7, 2024
Hackers have been exploiting a flaw in an outdated version of the LiteSpeed Cache plugin used by WordPress sites to create administrator users and gain control of the sites. This plugin, which is used on over five million WordPress sites to speed up page loads, improve visitor experience, and boost Google Search ranking, is particularly vulnerable in versions older than 5.7.0.1.
The WPScan security team at Automattic observed increased activity from threat actors scanning for and compromising WordPress sites with these older versions of the plugin. These versions are susceptible to a high-severity (8.8) unauthenticated cross-site scripting flaw tracked as CVE-2023-40000. One IP address, 94[.]102[.]51[.]144, made more than 1.2 million probing requests when scanning for vulnerable sites.
The hackers employ malicious JavaScript code, which they inject into critical WordPress files or the database. This allows them to create administrator users named 'wpsupp‑user' or 'wp‑configuser.' Another indication of a compromised site is the presence of the 'eval(atob(Strings.fromCharCode' string in the 'litespeed.admin_display.messages' option in the database.
While a large portion of LiteSpeed Cache users have updated to more recent versions not impacted by CVE-2023-40000, up to 1,835,000 still run on a vulnerable release. The ability to create admin accounts on WordPress sites gives attackers full control, allowing them to modify content, install plugins, change critical settings, redirect traffic to unsafe sites, distribute malware, execute phishing attacks, or steal user data.
Another campaign reported by Wallarm at the beginning of the week targeted a WordPress plugin named 'Email Subscribers' to create administrator accounts. The hackers leveraged CVE-2024-2876, a critical SQL injection vulnerability with a severity score of 9.8/10 that affects plugin versions 5.7.14 and older. Despite 'Email Subscribers' being less popular than LiteSpeed Cache, with only 90,000 active installations, the observed attacks show that hackers will exploit any opportunity.
WordPress site admins are urged to update plugins to the latest version, remove or disable unnecessary components, and monitor for new admin accounts being created. If a breach is confirmed, a full site cleanup is mandatory. This process involves deleting all rogue accounts, resetting passwords for all existing accounts, and restoring the database and site files from clean backups.
Related News
Latest News
- China-Linked Cyber Espionage Targets MITRE Network: ROOTROT Webshell Exploited
- Citrix Resolves High-Risk Flaw in NetScaler Servers Similar to Past CitrixBleed Vulnerability
- Critical Vulnerability in Tinyproxy Exposes Over 50,000 Hosts to Risk of Remote Code Execution
- China-Linked Actors Suspected in ArcaneDoor Cyber Espionage Targeting Network Devices
- NATO and EU Condemn APT28's Cyber Espionage Operations
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.