A critical vulnerability in the LiteSpeed Cache WordPress plugin can let attackers take over millions of websites after creating rogue admin accounts.
LiteSpeed Cache is open-source and the most popular WordPress site acceleration plugin, with over 5 million active installations and support for WooCommerce, bbPress, ClassicPress, and Yoast SEO.
The unauthenticated privilege escalation vulnerability (CVE-2024-28000) was found in the plugin’s user simulation feature and is caused by a weak hash check in LiteSpeed Cache up to and including version 6.3.0.1.
Security researcher John Blackbourn submitted the flaw to Patchstack’s bug bounty program on August 1. The LiteSpeed team developed a patch and shipped it with LiteSpeed Cache version 6.4, released on August 13.
Successful exploitation enables any unauthenticated visitors to gain administrator-level access, which can be used to completely take over websites running vulnerable LiteSpeed Cache versions by installing malicious plugins, changing critical settings, redirecting traffic to malicious websites, distributing malware to visitors, or stealing user data.
“We were able to determine that a brute force attack that iterates all 1 million known possible values for the security hash and passes them in the litespeed_hash cookie — even running at a relatively low 3 requests per second — is able to gain access to the site as any given user ID within between a few hours and a week,” explained Patchstack security researcher Rafie Muhammad on Wednesday.
“The only prerequisite is knowing the ID of an Administrator-level user and passing it in the litespeed_role cookie. The difficulty of determining such a user depends entirely on the target site and will succeed with a user ID 1 in many cases.”
While the development team released versions that address this critical security vulnerability last Tuesday, download statistics from WordPress’ official plugin repository show that the plugin has only been downloaded just over 2.5 million times, likely leaving more than half of all websites using it exposed to incoming attacks.
Earlier this year, attackers exploited a LiteSpeed Cache unauthenticated cross-site scripting flaw (CVE-2023-40000) to create rogue administrator users and gain control of vulnerable websites. In May, Automattic’s security team, WPScan, warned that threat actors started scanning for targets in April after seeing over 1.2 million probes from just one malicious IP address.
“We strongly advise users to update their sites with the latest patched version of Litespeed Cache, version 6.4.1 at the time of this writing, as soon as possible. We have no doubts that this vulnerability will be actively exploited very soon,” Wordfence threat intel lead Chloe Chamberland also warned today.
In June, the Wordfence Threat Intelligence team also reported that a threat actor backdoored at least five plugins on WordPress.org and added malicious PHP scripts to create accounts with admin privileges on websites running them.