HQ/EMEAFind out how we can help your business
The newly discovered LiteSpeed plugin bug has endangered millions of WordPress websites. Based on reports, malicious actors can execute takeover attacks against WordPress websites that use this plugin and generate rogue admin accounts.
LiteSpeed Cache is one of the most widely used open-source WordPress site accelerator plugins, with more than 5 million active installations and support for WooCommerce, bbPress, ClassicPress, and Yoast SEO.
The bug in question is an unauthenticated privilege escalation vulnerability called CVE-2024-28000. Researchers discovered the plugin’s user simulation feature flaw, caused by a weak hash check in LiteSpeed Cache versions up to and including 6.3.0.1.
A responsible vulnerability reporting led to the disclosure of the new LiteSpeed vulnerability.
According to researchers, the LiteSpeed flaw became public knowledge after a study reported it to a bug bounty program earlier this month. The disclosure prompted the LiteSpeed team to create a patch for LiteSpeed Cache version 6.4, released on August 13.
Successfully exploiting the bug could grant any unauthorised user admin-level access to a WordPress website that employs the plugin.
Such capability could give the user complete control of the website on a vulnerable LiteSpeed Cache version. Moreover, these attackers could also execute other malicious activities, such as installing malicious plugins, changing critical settings, redirecting traffic to malicious websites, distributing malware to visitors, or stealing user data.
Hackers can also execute a brute force attack through 1 million known possible values for the security hash. Hence, they can bypass the plugin’s security at a relatively low three requests per second.
Hackers can use this technique with one requirement: they must know the ID of an admin-level user and include it in the litespeed_role cookie. However, the difficulty of identifying such a user depends entirely on the targeted WordPress site; in many circumstances, a user ID of 1 will suffice.
Despite the plugin’s development team releasing a patch for the flawed version, most WordPress sites that employ LiteSpeed have yet to adopt the update. Therefore, sites that still run on the vulnerable version will be the ones prone to exploitation and possible compromise.
