A severe security flaw in the LiteSpeed Cache WordPress plugin has exposed more than five million websites to potential takeovers by allowing attackers to create unauthorised administrator accounts. Discovered by the cybersecurity firm Wordfence Threat Intelligence, this vulnerability impacts all versions of the plugin up to and including 6.3.0.1.
According to Wordfence, the vulnerability permits unauthenticated users to exploit a weak hash mechanism to spoof user roles. By obtaining a hash value, which is poorly protected and can be brute-forced or found in debug logs, attackers can elevate their privileges to administrative levels. This flaw allows them to create new administrative accounts via the /wp-json/wp/v2/users REST API endpoint.
Following the discovery, Wordfence issued an updated firewall rule to safeguard users of Wordfence Premium, Wordfence Care, and Wordfence Response from potential exploits targeting this vulnerability. Users of the free version of Wordfence will receive similar protection starting from 19 September 2024.
LiteSpeed Cache vulnerability reported via Patchstack
The vulnerability, designated CVE-2024-28000, was not reported through Wordfence’s bug bounty programme. However, based on available information, it could have qualified for a bounty ranging from £18,500 to £25,500. Wordfence strongly advises all users to update to LiteSpeed Cache version 6.4.1 without delay to prevent exploitation.
LiteSpeed Cache is a popular open-source plugin designed to optimise and accelerate WordPress sites, supporting various extensions including WooCommerce and Yoast SEO. The flaw lies in the improper implementation of the plugin’s role simulation feature, which is used for crawling and caching pages as different users.
Earlier this month, security researcher John Blackbourn reported the issue to Patchstack’s bug bounty programme. The LiteSpeed development team responded by releasing a patch in version 6.4 on 13 August. Despite this, download statistics from WordPress’s plugin repository suggest that a significant number of sites remain unpatched.
Patchstack security researcher Rafie Muhammad highlighted that a brute force attack could compromise administrative accounts within hours to a week, depending on the attacker’s resources and knowledge of the target site. This vulnerability has previously been exploited to create unauthorised administrator accounts.
Given the potential severity of this exploit, users are strongly advised to update their LiteSpeed Cache plugin to the latest version to protect against this critical security flaw.
Over the past year, WordPress has been the target of several significant cyberattacks, primarily due to vulnerabilities in plugins and themes. Notably, the GiveWP plugin, popular among nonprofits for online donations, was found to have a critical flaw in August 2024. This allowed unauthorised attackers to execute malicious code and delete files, earning a CVE rating of 10/10.
A short history of WordPress attacks
Cross-site scripting (XSS) also remains a prevalent issue, with hackers embedding malicious code into legitimate sites, compromising user credentials.
Brute-force attacks on admin accounts continue to threaten WordPress sites, particularly those with weak security measures. Furthermore, plugins such as TimThumb, Gravity Forms, and Revslider have been extensively exploited, highlighting the ongoing risk posed by unpatched plugins.
In February 2023, more than 14,000 WordPress users experienced malware infections that placed fraudulent adverts on their sites, redirecting visitors to fake question-and-answer pages. These redirects were intended to improve the search engine optimisation (SEO) of the attackers’ sites. A report by cybersecurity firm Securi revealed that, during September and October 2023 alone, 20,000 infected files were found across 2,500 sites.
Read more: Microchip Technology reports cyber incident affecting multiple facilities
