Aug 23, 2024 15:00:00

Critical vulnerability discovered in popular WordPress plugin 'LiteSpeed Cache' that could expose millions of websites

WordPress , an open source blog software and content management system, is used by 43.4% of all websites as of April 2024. It has been reported that a popular WordPress plugin , LiteSpeed Cache , is vulnerable and could expose millions of websites to hijacking.

Critical Privilege Escalation in LiteSpeed Cache Plugin - Patchstack
https://patchstack.com/articles/critical-privilege-escalation-in-litespeed-cache-plugin-affecting-5-million-sites

Security Update for LiteSpeed Cache ⋆ LiteSpeed Blog
https://blog.litespeedtech.com/2024/08/21/security-update-for-litespeed-cache/

Over 5,000,000 Site Owners Affected by Critical Privilege Escalation Vulnerability Patched in LiteSpeed Cache Plugin
https://www.wordfence.com/blog/2024/08/over-5000000-site-owners-affected-by-critical-privilege-escalation-vulnerability-patched-in-litespeed-cache-plugin/

Litespeed Cache bug exposes millions of WordPress sites to takeover attacks
https://www.bleepingcomputer.com/news/security/litespeed-cache-bug-exposes-millions-of-wordpress-sites-to-takeover-attacks/

LiteSpeed Cache is a plugin that can speed up your WordPress website with dedicated server level caching and optimization features. At the time of writing, it has over 5 million active installs, making it one of the most popular WordPress plugins.

A critical vulnerability in LiteSpeed Cache was reported to the WordPress vulnerability disclosure organization Patchstack's bug bounty program . The vulnerability was discovered by security researcher John Blackbourn , who was awarded $14,400 (approximately 2.1 million yen), the highest amount ever paid in a WordPress bug bounty.

LiteSpeed Cache has a mechanism to crawl pages according to a schedule to obtain a website cache. The crawler has the ability to simulate a user with a specific login ID, and a security hash is used to protect this. However, since there are only 1 million possible values for the generated security hash, it is possible to identify the security hash by launching a brute force attack and create a new administrator account with any user ID.

Patchstack points out that even a relatively slow brute force attack of three requests per second could crack the security hash in a few hours to a week. The vulnerability has been assigned the identification number ' CVE-2024-28000 '.

Exploitation of the vulnerability could allow an unauthenticated attacker to gain administrator-level access and completely take over a website, allowing them to upload and install malicious plugins, change critical settings, redirect visitors to malicious websites, distribute malware to visitors, and steal user data.

The LiteSpeed Cache development team has already recognized this vulnerability and fixed the issue in version '6.4' released on August 13, 2024. However, according to download statistics from the official WordPress plugin repository, the majority of users are still using version '6.3' or earlier, leaving millions of websites at risk.