The Researcher team has identified and patched a critical privilege escalation vulnerability in the LiteSpeed Cache plugin.
This plugin, installed on over 5 million WordPress sites, was susceptible to attacks that could allow unauthenticated users to gain administrative access.
The vulnerability, identified as CVE-2024-28000, has been fixed in the latest version, 6.4.1, and users are urged to update immediately.
CVE-2024-28000 – The Vulnerability
The vulnerability in question affected all versions of the LiteSpeed Cache plugin up to 6.3.0.1. It was discovered that the plugin did not properly restrict the role simulation functionality.
This flaw allowed unauthenticated attackers to spoof their user IDs, potentially register as administrative-level users, and take over WordPress sites.
Technical Details
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial
The vulnerability was rooted in the plugin’s handling of user emulation through its “Crawler Simulation Settings.”
This feature was insecurely implemented. It was designed to allow the plugin to crawl and cache pages as specific authenticated users. The core issue lay in the async_litespeed_handler() function, which lacked proper capability or nonce checks.
This oversight enabled users to trigger the function and generate a $hash value stored in the options table. This $hash could then be used to spoof user IDs.
Wordfence has issued a firewall rule to protect its Premium, Care, and Response users against this vulnerability as of August 20th, 2024.
Free users will receive this protection on September 19th, 2024. Given the critical nature of this vulnerability, it is imperative for all users of the LiteSpeed Cache plugin to update to version 6.4.1 or later immediately.
For those managing WordPress sites, it is also advisable to regularly review and update all plugins and themes to their latest versions to mitigate potential security risks.
This vulnerability highlights the ongoing need for vigilance in web security, especially for widely used plugins like LiteSpeed Cache.
The swift action by Wordfence and the WordPress community underscores the importance of collaborative efforts in maintaining a secure web environment.
Users are encouraged to remain proactive in updating their sites and sharing security advisories with others to prevent exploitation.
Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial