Critical Vulnerability in LiteSpeed Cache WordPress Plugin Threatens Millions of Websites

August 21, 2024

A significant security vulnerability has been identified in the widely-used LiteSpeed Cache WordPress plugin, placing millions of websites at risk of being hijacked through the creation of unauthorized admin accounts. This plugin, which is open-source and boasts over 5 million active installations, is known for its capability to accelerate WordPress sites. It is also compatible with various platforms such as WooCommerce, bbPress, ClassicPress, and Yoast SEO.

The security flaw, tagged as CVE-2024-28000, is an unauthenticated privilege escalation vulnerability. It was discovered in the user simulation feature of the plugin, due to a weak hash check in LiteSpeed Cache versions up to and including 6.3.0.1. John Blackbourn, a security researcher, reported the issue to Patchstack's bug bounty program on August 1. The LiteSpeed team quickly responded by developing and shipping a patch with LiteSpeed Cache version 6.4, which was released on August 13.

The successful exploitation of this vulnerability can grant any unauthenticated visitors administrator-level access. This access can be leveraged to completely hijack websites running on vulnerable versions of LiteSpeed Cache. The attacker can install malicious plugins, modify crucial settings, redirect traffic to harmful websites, distribute malware to visitors, or steal user data. Rafie Muhammad, a Patchstack security researcher, explained, "We were able to determine that a brute force attack that iterates all 1 million known possible values for the security hash and passes them in the litespeed_hash cookie — even running at a relatively low 3 requests per second — is able to gain access to the site as any given user ID within between a few hours and a week."

Although a patch was released to address this critical security flaw, download statistics from WordPress' official plugin repository reveal that the patched plugin has only been downloaded just over 2.5 million times. This indicates that more than half of all websites using the plugin remain vulnerable to potential attacks. Earlier this year, a similar vulnerability in LiteSpeed Cache, tagged as CVE-2023-40000, was exploited by attackers to create rogue admin users and seize control of vulnerable websites.

Chloe Chamberland, the threat intel lead at Wordfence, issued a warning about the imminent threat, stating, "We strongly advise users to update their sites with the latest patched version of Litespeed Cache, version 6.4.1 at the time of this writing, as soon as possible. We have no doubts that this vulnerability will be actively exploited very soon." In June, the Wordfence Threat Intelligence team reported a separate incident where a threat actor backdoored at least five plugins on WordPress.org and added malicious PHP scripts to create accounts with admin privileges on websites running them.

Related News

• Cybercriminals Target Outdated LiteSpeed Cache Plugin to Gain Control of WordPress Sites
• LiteSpeed Cache Plugin XSS Vulnerability Threatens Millions of WordPress Sites

Latest News

• Critical Authentication Bypass Flaw Detected in GitHub Enterprise Server
• Microsoft's Copilot Studio Exposes Cloud Data Due to SSRF Bug
• Stealthy Msupedge Backdoor Exploits PHP Flaw in Cyber Attack on Taiwanese University
• Security Vulnerability in Azure Kubernetes Services Unveiled by Researchers
• Lazarus Hackers Exploit Windows Driver Zero-Day to Install Rootkit