Cybercriminals Target Outdated LiteSpeed Cache Plugin to Gain Control of WordPress Sites

May 7, 2024

Hackers have been exploiting a flaw in an outdated version of the LiteSpeed Cache plugin used by WordPress sites to create administrator users and gain control of the sites. This plugin, which is used on over five million WordPress sites to speed up page loads, improve visitor experience, and boost Google Search ranking, is particularly vulnerable in versions older than 5.7.0.1.

The WPScan security team at Automattic observed increased activity from threat actors scanning for and compromising WordPress sites with these older versions of the plugin. These versions are susceptible to a high-severity (8.8) unauthenticated cross-site scripting flaw tracked as CVE-2023-40000. One IP address, 94[.]102[.]51[.]144, made more than 1.2 million probing requests when scanning for vulnerable sites.

The hackers employ malicious JavaScript code, which they inject into critical WordPress files or the database. This allows them to create administrator users named 'wpsupp‑user' or 'wp‑configuser.' Another indication of a compromised site is the presence of the 'eval(atob(Strings.fromCharCode' string in the 'litespeed.admin_display.messages' option in the database.

While a large portion of LiteSpeed Cache users have updated to more recent versions not impacted by CVE-2023-40000, up to 1,835,000 still run on a vulnerable release. The ability to create admin accounts on WordPress sites gives attackers full control, allowing them to modify content, install plugins, change critical settings, redirect traffic to unsafe sites, distribute malware, execute phishing attacks, or steal user data.

Another campaign reported by Wallarm at the beginning of the week targeted a WordPress plugin named 'Email Subscribers' to create administrator accounts. The hackers leveraged CVE-2024-2876, a critical SQL injection vulnerability with a severity score of 9.8/10 that affects plugin versions 5.7.14 and older. Despite 'Email Subscribers' being less popular than LiteSpeed Cache, with only 90,000 active installations, the observed attacks show that hackers will exploit any opportunity.

WordPress site admins are urged to update plugins to the latest version, remove or disable unnecessary components, and monitor for new admin accounts being created. If a breach is confirmed, a full site cleanup is mandatory. This process involves deleting all rogue accounts, resetting passwords for all existing accounts, and restoring the database and site files from clean backups.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.