Millions of WordPress Sites Vulnerable To TakeOver Attack Due To LiteSpeed Cache Bug

A critical vulnerability in the widely used LiteSpeed Cache WordPress plugin can allow threat actors to take over websites after creating unauthenticated admin accounts, thereby posing a significant risk to millions of users.

LiteSpeed Cache for WordPress (LSCWP) is an open-source, all-in-one site acceleration plugin with over 5 million active installations.

It features an exclusive server-level cache and a collection of optimization features. It supports WordPress Multisite and is compatible with the most popular plugins, including WooCommerce, bbPress, and Yoast SEO.

The vulnerability tracked as CVE-2024-28000 (CVSS Score: 9.8) was discovered by John Blackbourn, a member of the Patchstack Alliance community, who reported it to Patchstack’s Zero Day bug bounty program on August 1, 2024.

The LiteSpeed team responded promptly by developing a patch for the vulnerability and shipping it with the release of LiteSpeed Cache version 6.4 on August 13, 2024.

The security flaw, which is an unauthenticated privilege escalation, was discovered in the LiteSpeed Cache plugin’s user simulation feature. It is caused by a weak security hash mechanism in LiteSpeed Cache versions up to and including 6.3.0.1.

Successful exploitation of this vulnerability allows unauthenticated users to spoof their user ID to that of an administrator in vulnerable LiteSpeed Cache versions, which ultimately lets them register as administrative-level users and completely take over a WordPress site.

This requires no user interaction and can be exploited over the network without requiring any privileges.

Further, the threat actor can install harmful plugins, change crucial settings, redirect traffic to malicious websites, distribute malware to visitors, or steal user data.

“We were able to determine that a brute force attack that iterates all 1 million known possible values for the security hash and passes them in the litespeed_hash cookie — even running at a relatively low 3 requests per second — is able to gain access to the site as any given user ID within between a few hours and a week,” explained Patchstack security researcher Rafie Muhammad on Wednesday.

“The only prerequisite is knowing the ID of an Administrator-level user and passing it in the litespeed_role cookie. The difficulty of determining such a user depends entirely on the target site and will succeed with a user ID 1 in many cases.”

Although a patch was released to address this critical security vulnerability, download statistics from WordPress’ official plugin repository disclose that the plugin has only been downloaded just over 2.5 million times, suggesting that more than half of all websites using the plugin are vulnerable to potential incoming attacks.

Even the Wordfence Threat Intelligence team has warned about the potential threat. “We strongly advise users to update their sites with the latest patched version of Litespeed Cache, version 6.4.1 at the time of this writing, as soon as possible.

We have no doubts that this vulnerability will be actively exploited very soon,” Chloe Chamberland, Wordfence threat intel lead, warned in a blog post on Monday.

To protect from potential attacks, it is strongly recommended that those using LiteSpeed Cache for their websites update to version 6.4 or later.

If you are unable to update, you should disable/uninstall the plugin, as there is a potential chance it will be vulnerable to a complete website takeover situation.

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!
spot_img

Read More

Suggested Post