Millions of WordPress sites are at risk due to critical LiteSpeed Cache vulnerability

Newly discovered flaw allows unauthorized WordPress admin access

WordPress sites are at risk due to critical LiteSpeed Cache vulnerability

A significant security vulnerability has been identified in the popular LiteSpeed Cache plugin, potentially compromising millions of WordPress websites. The vulnerability, classified as CVE-2024-28000, was discovered by security researcher John Blackbourn and reported through the Patchstack Zero Day bug bounty program, earning him a substantial USD 14,400 reward.

This flaw, if exploited, allows attackers to gain administrator-level access to WordPress sites, posing severe risks to site owners and users alike[1].

The vulnerability stems from a weak security hash mechanism within the LiteSpeed Cache plugin's user simulation feature. This feature, designed to help pre-populate cache files, uses a hash that is easily predictable due to its reliance on a poorly randomized number generator. The hash, once generated, remains static, allowing attackers to launch brute-force attacks to discover it and escalate their privileges to that of an administrator on the targeted site.

Technical details of the vulnerability highlight the serious risks

The LiteSpeed Cache plugin, which boasts over 5 million active installations, is widely used for its advanced caching capabilities that significantly enhance site performance. However, the discovered vulnerability has cast a shadow over its security credentials.

The flaw allows attackers to trigger the generation of a weak security hash even if the plugin’s crawler feature is disabled. By exploiting an unprotected AJAX handler, an attacker can force the creation of this hash and then attempt to brute-force it.

Once the correct hash is identified, the attacker can manipulate the system to gain administrator-level access, enabling them to deploy malicious plugins, alter site settings, redirect traffic to malicious websites, or even steal user data. The security hash’s predictability, with only one million possible values, makes it particularly susceptible to such brute-force attacks, which could succeed within a few hours to a week, depending on the site’s configuration.

Patch released, but millions remain vulnerable

The developers of LiteSpeed Cache acted swiftly upon notification of the vulnerability, releasing a patch on August 13, 2024, with version 6.4 of the plugin. This update introduced several critical security enhancements, including a more complex 32-character random hash, one-time-use hashes valid for only 120 seconds, and improvements to ensure that the security hash is tied to the requesting IP address.

Despite the release of the patch, millions of WordPress sites remain at risk. Data from WordPress.org indicates that only 30% of users have updated to the latest version[2], leaving nearly 3.8 million sites vulnerable to potential attacks. Given the widespread use of LiteSpeed Cache, the impact of this vulnerability could be far-reaching if site administrators do not take immediate action to update their installations.

Historical context and recommendations for WordPress site owners

This is not the first time LiteSpeed Cache has been targeted by attackers. Earlier this year[3], a cross-site scripting vulnerability in the plugin was exploited to create rogue administrator accounts, leading to widespread site takeovers. The recent discovery of the privilege escalation vulnerability adds to the growing list of security concerns associated with this plugin.

To mitigate the risks, site owners are strongly urged to update to LiteSpeed Cache version 6.4 or later. If updating is not immediately possible, disabling or uninstalling the plugin is recommended to prevent potential exploitation. Additionally, WordPress security experts emphasize the importance of maintaining updated plugins and regularly monitoring site security to protect against emerging threats.

As the cybersecurity landscape continues to evolve, vulnerabilities like those found in LiteSpeed Cache serve as a stark reminder of the ongoing need for vigilance and proactive security measures. By staying informed and acting swiftly, site owners can help safeguard their websites from potentially devastating attacks.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References
Files
Software
Compare