HQ/EMEAFind out how we can help your business
Hackers have an ongoing campaign exploiting WordPress sites using an old LiteSpeed Cache plugin to create admin accounts and takeover sites. LS Cache developers sell this software as a caching plugin that over five million WordPress sites can use to improve page load times, visitor experience, and Google search ranking.
However, a recent study observed increased activity in April from threat actors scanning for and compromising WordPress sites with plugin versions older than 5.7.0.1. These versions are vulnerable to an unauthenticated cross-site scripting flaw known as CVE-2023-40000.
The LiteSpeed Cache flaw exploit uses a hostile JavaScript code.
According to investigations, the LiteSpeed Cache flaw attackers use malicious JavaScript code and inject it into important WordPress files or the database. This technique allows the threat actors to create administrator users named ‘wpsupp user’ or ‘wp configuser.’
Another indication of an infection is the presence of the “eval(atob(Strings.fromCharCode” text in the database’s “litespeed.admin_display.messages” option.
Many LiteSpeed Cache users have updated to more recent versions that are not vulnerable to CVE-2023-40000. However, a significant proportion of about 2 million users still employ the vulnerable edition.
In addition, the ability to create admin accounts on WordPress sites gives attackers complete access to the site, allowing them to edit content, install plugins, modify necessary settings, redirect visitors to malicious sites, deploy malware, execute phishing attacks, or steal user data.
Earlier this week, separate research reported another campaign that creates administrator accounts using the WordPress plugin “Email Subscribers”. However, the hackers for this campaign are exploiting a different vulnerability called CVE-2024-2876, a major SQL injection flaw.
The Email Subscriber plugin is significantly less popular than LiteSpeed Cache, with 90,000 active installations. However, this vulnerability is still attractive for threat actors as they can compromise WordPress websites.
Therefore, WordPress site administrators should update plugins to the latest version and remove or disable any unnecessary components. Additionally, monitor new admin accounts that are being created.
Experts urge admins to execute a complete site cleanup to prevent such compromise. The procedure includes eliminating all rogue accounts, resetting passwords for all current accounts, and restoring the database and site files from clean backups.
