Cybersecurity researchers have revealed a serious security vulnerability in the plugin LiteSpeed Cache for WordPress that could allow unauthenticated users to gain administrator privileges.
In addition to LiteSpeed Cache, it should be noted that (unfortunately), The platform is no stranger to other types of abuse by cybercriminals.
LiteSpeed Cache: What are the problems it brings with it?
“The plugin suffers from an unauthenticated privilege escalation vulnerability that allows any unauthenticated visitor to gain Administrator level access, after which malicious plugins may be loaded and installed“, has declared Patchstack’s Rafie Muhammad in a report published Wednesday.
The vulnerability, identified as CVE-2024-28000 (CVSS score: 9.8), It was fixed in plugin version 6.4released on August 13, 2024 and This vulnerability affects all versions of the plugin, including 6.3.0.1 and earlier..
LiteSpeed Cache is one of the most widely used caching plugins for WordPress, with over five million active installations.
What are the issues you encountered with previous versions of LiteSpeed Cache?
In short, CVE-2024-28000 makes it possible for an unauthenticated attacker to spoof their user ID and log in as a user with administrator privilegeseffectively granting the ability to take control of a vulnerable WordPress site.
The vulnerability is rooted in a user simulation function in the plugin that uses a weak security hash, which suffers from the use of an easily guessable random number as a seed.
In particular, there are only a million possible values for the secure hash due to the fact that the random number generator is derived from the microsecond portion of the current time. Furthermore, the random number generator is not cryptographically secure, and the generated hash is neither salted nor tied to a particular request or user.
Brief technical operation of the LiteSpeed Cache WordPress plugin
“This is due to the fact that The plugin does not properly limit role simulation functionalityallowing a user to set their current ID to that of an administrator, if it has access to a valid hash that can be found in debug logs or via brute force“, has declared Wordfence in its own notice.
Wordfence further added that: “This makes it possible for unauthenticated attackers to spoof their user ID to that of an administrator and then create a new user account with the administrator role using the endpoint REST API /wp-json/wp/v2/users.“
Surprise! LiteSpeed Cache plugin is not implemented on Windows
It is important to note that the vulnerability cannot be exploited on Windows-based WordPress installations due to the hash generation function’s dependency on a PHP method called sys_getloadavg()which is not implemented on Windows.
“This vulnerability highlights the critical importance of ensuring the strength and unpredictability of values used as security hashes or nonces.“, Muhammad said.
This means that in this specific case Linux-based operating systems are vulnerable, rather than operating systems like Windows 10 or Windows 11; it should be noted that the vulnerability related to this plugin It was preemptively fixed before it could cause any IT damage.
With a previous vulnerability disclosed in LiteSpeed Cache (CVE-2023-40000, CVSS score: 8.3) being exploited by malicious actors, It is imperative that users quickly upgrade their instances to the latest version.
The “fear” of updates
It is often associated with Windows operating systems that updates can cause problems, and in some cases, it’s true; It must be said, however, that in the vast majority of cases not doing them is worse (unless otherwise indicated by the development house).
It should also be noted that this It’s not just for Windows and this buggy plugin doesn’t actually affect it.
#LiteSpeed #Cache #WordPress #Plugin #Vulnerability
