Litespeed Cache Flaw Leaves Millions of WordPress Sites Open to Takeover Attacks

A critical vulnerability in the LiteSpeed Cache WordPress plugin has put millions of websites at risk, potentially allowing attackers to take full control by creating rogue admin accounts. LiteSpeed Cache, the most popular WordPress site acceleration plugin with over 5 million active installations, is widely used due to its support for various platforms like WooCommerce, bbPress, ClassicPress, and Yoast SEO. The vulnerability, identified as CVE-2024-28000, was discovered in the plugin's user simulation feature and stems from a weak hash check in LiteSpeed Cache versions up to and including 6.3.0.1.

The flaw was first reported by security researcher John Blackbourn through Patchstack's bug bounty program on August 1. In response, the LiteSpeed team swiftly developed and released a patch with LiteSpeed Cache version 6.4 on August 13, addressing this critical security issue.

The vulnerability allows unauthenticated attackers to escalate their privileges and gain administrator-level access to the affected websites. This access can be exploited to completely take over vulnerable websites by installing malicious plugins, altering critical settings, redirecting traffic to malicious sites, distributing malware to visitors, or stealing sensitive user data. Patchstack security researcher Rafie Muhammad explained that a brute force attack could easily exploit this weakness by iterating through all 1 million possible security hash values. This attack, even at a low rate of three requests per second, could allow an attacker to access the site within a few hours to a week, provided they know the ID of an administrator-level user, which is often predictable.

Despite the release of the patched version, the situation remains dire. Download statistics from WordPress' official plugin repository indicate that LiteSpeed Cache has only been downloaded approximately 2.5 million times since the patch's release, leaving potentially more than half of all websites using the plugin exposed to attacks. This slow adoption of the update increases the risk of exploitation, especially since attackers are known to actively scan for vulnerabilities in popular plugins.

This is not the first time LiteSpeed Cache has been targeted. Earlier this year, an unauthenticated cross-site scripting flaw (CVE-2023-40000) in LiteSpeed Cache was exploited by attackers to create rogue admin users and take control of vulnerable websites. In response, WPScan, a security team from Automattic, reported in May that attackers had been scanning for targets since April, with over 1.2 million probes originating from a single malicious IP address.

Given the severity of the current vulnerability, security experts strongly advise users to immediately update their LiteSpeed Cache plugin to the latest version, which is 6.4.1 at the time of this writing. Wordfence threat intelligence lead Chloe Chamberland emphasized the urgency, stating, "We have no doubts that this vulnerability will be actively exploited very soon."

The broader context of WordPress security also underscores the importance of timely updates. In June, Wordfence Threat Intelligence reported that a threat actor had backdoored at least five plugins on WordPress.org, embedding malicious PHP scripts that could create admin accounts on compromised sites. These incidents underscore the ongoing and increasingly sophisticated threats targeting WordPress sites, making it imperative for website administrators to maintain vigilant security practices. The popularity of WordPress and its extensive ecosystem of plugins make it an attractive target for cybercriminals, who continuously exploit vulnerabilities to gain unauthorized access, distribute malware, and compromise user data.

Given the widespread adoption of WordPress, a single vulnerability in a popular plugin like LiteSpeed Cache can expose millions of sites to potential attacks. The speed at which attackers exploit these vulnerabilities further emphasizes the importance of prompt updates and proactive security measures. Administrators must ensure that plugins, themes, and the core WordPress platform are regularly updated, and they should also consider implementing additional security layers such as firewalls, intrusion detection systems, and two-factor authentication.

Moreover, regular security audits, monitoring for suspicious activity, and staying informed about emerging threats can help mitigate the risks. The consequences of a breach can be severe, ranging from data theft to reputational damage, making cybersecurity a critical aspect of website management. As threats continue to evolve, so too must the strategies employed by website administrators to protect their sites and their users.