In August, security researchers uncovered a serious vulnerability in the popular LiteSpeed Cache plugin for WordPress. This flaw could allow unauthorized users to gain administrator rights on affected websites, potentially putting 5 to 6 million WordPress websites at risk.
“The plugin suffers from a privilege escalation vulnerability, allowing unauthenticated visitors to gain admin access and install malicious plugins,” explained Rafie Muhammad from Patchstack. The vulnerability, known as CVE-2024-28000 (CVSS score: 9.8), was fixed in version 6.4 of the plugin, released on August 13, 2024. All versions up to and including 6.3.0.1 are affected.
LiteSpeed Cache is one of the most widely used caching plugins for WordPress, active on over five million websites. This vulnerability allows attackers to manipulate user IDs and register as administrators, granting them full control over vulnerable WordPress websites.
The issue stems from a user simulation function within the plugin, which uses a weak security hash based on a predictable random number. “The plugin doesn’t sufficiently restrict the role simulation, allowing an attacker to set their user ID to that of an admin,” warned Wordfence.
It’s important to note that this vulnerability cannot be exploited on Windows-based WordPress installations, as the hash generation function relies on a PHP method not implemented on Windows.
Recently, another vulnerability in LiteSpeed Cache was discovered: CVE-2024-44000. This flaw allows attackers to log in as authenticated users and potentially gain admin rights.
Attackers can use these rights to install malicious plugins and compromise the entire system.
To put it a little more technically:
The vulnerability results from a faulty implementation of debug logging. Improper handling of HTTP headers and session cookies in the ended() function led to sensitive data such as the Set-Cookie header being written to the debug log.
It’s crucial for users to act quickly and update to version 6.5.0.1 of the plugin.
LiteSpeed Cache -What Can You Do?
The LiteSpeed team has already released an update implementing several protective measures. These include moving debug logs to a secure directory, assigning random names to log files, and removing cookie-related information from logs. It is strongly advised to delete old debug logs and only enable logging when absolutely necessary.
In light of a vulnerability in LiteSpeed Cache (CVE-2023-40000, CVSS score: 8.3) disclosed before these two, which has already been exploited by malicious actors, it is imperative that users quickly update their installations to the latest version.
With plugins like this, which can cause problems for some time due to vulnerabilities, I can only recommend that all software used for the WordPress website is always kept up to date.
Vulnerabilities like these highlight the importance of keeping all plugins and themes up to date. While this cannot completely prevent attacks but it significantly reduces the risk of becoming a victim.