Lucene search

K
thnThe Hacker NewsTHN:D6261BB26C00FCFC13ECF1D8C8D7D395
HistoryAug 22, 2024 - 5:02 a.m.

Critical Flaw in WordPress LiteSpeed Cache Plugin Allows Hackers Admin Access

2024-08-2205:02:00
The Hacker News
thehackernews.com
39
wordpress
litespeed cache
security flaw
privilege escalation
cve-2024-28000
patch
vulnerability mitigation
cybersecurity
php method

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

0

Percentile

9.5%

WordPress LiteSpeed Cache

Cybersecurity researchers have disclosed a critical security flaw in the LiteSpeed Cache plugin for WordPress that could permit unauthenticated users to gain administrator privileges.

“The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain Administrator level access after which malicious plugins could be uploaded and installed,” Patchstack’s Rafie Muhammad said in a Wednesday report.

The vulnerability, tracked as CVE-2024-28000 (CVSS score: 9.8), has been patched in version 6.4 of the plugin released on August 13, 2024. It impacts all versions of the plugin, including and prior to 6.3.0.1.

Cybersecurity

LiteSpeed Cache is one of the most widely used caching plugins in WordPress with over five million active installations.

In a nutshell, CVE-2024-28000 makes it possible for an unauthenticated attacker to spoof their user ID and register as an administrative-level user, effectively granting them privileges to take over a vulnerable WordPress site.

The vulnerability is rooted in a user simulation feature in the plugin that uses a weak security hash that suffers from the use of a trivially guessable random number as the seed.

Specifically, there are only one million possible values for the security hash due to the fact that the random number generator is derived from the microsecond portion of the current time. What’s more, the random number generator is not cryptographically secure and the generated hash is neither salted nor tied to a particular request or a user.

“This is due to the plugin not properly restricting the role simulation functionality allowing a user to set their current ID to that of an administrator, if they have access to a valid hash which can be found in the debug logs or through brute force,” Wordfence said in its own alert.

“This makes it possible for unauthenticated attackers to spoof their user ID to that of an administrator, and then create a new user account with the administrator role utilizing the /wp-json/wp/v2/users REST API endpoint.”

Cybersecurity

It’s important to note that the vulnerability cannot be exploited on Windows-based WordPress installations due to the hash generation function’s reliance on a PHP method called sys_getloadavg() that’s not implemented on Windows.

“This vulnerability highlights the critical importance of ensuring the strength and unpredictability of values that are used as security hashes or nonces,” Muhammad said.

With a previously disclosed flaw in LiteSpeed Cache (CVE-2023-40000, CVSS score: 8.3) exploited by malicious actors, it’s imperative that users move quickly to update their instances to the latest version.

Update

Wordfence has revealed that exploitation attempts against the flaw have already commenced in full swing, stating it “blocked 58,952 attacks targeting this vulnerability in the past 24 hours.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

0

Percentile

9.5%