Description
Hackers have begun exploiting a critical vulnerability in the LiteSpeed Cache plugin, a popular tool used by WordPress websites to enhance performance by accelerating response times. The flaw, tracked as CVE-2024-28000, affects all versions of the plugin up to 6.3.0.1 and allows unauthorized privilege escalation. This vulnerability poses a severe risk, as it can lead to complete takeover of websites running the vulnerable plugin.
Details
The vulnerability arises from a weak hash check in the plugin’s user simulation feature, which attackers can exploit by brute-forcing the hash value. By doing so, they can create rogue administrator accounts through the WordPress REST API, gaining full control over the affected website. The method, demonstrated by security researcher Rafie Muhammad, involves cycling through 1 million possible security hash values at a rate of three requests per second. Depending on server response time, the attack can succeed in gaining site access in as little as a few hours or up to a week.
Indicators of Compromise (IoCs)
Organizations should monitor for the following indicators of compromise:
Remediation
To protect against this vulnerability, users of the LiteSpeed Cache plugin are strongly advised to update to the latest version (6.4.1) immediately. For those unable to update, the plugin should be uninstalled to mitigate the risk. Additionally, website administrators should monitor for any signs of compromise, such as unauthorized account creation or unexpected changes to site configurations. Implementing additional security measures, such as rate limiting and monitoring REST API access, can also help reduce the risk of exploitation.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Critical Vulnerability Exploited in LiteSpeed Cache Plugin
References