WordPress websites have been under attack lately, with a surge of malicious JavaScript being injected using vulnerable versions of the LiteSpeed Cache plugin, claim Automattic’s security team, WPScan.
As of 2024, there are over 1.89 billion websites on the internet, with around 835 million relying on WordPress as their Content Management System (CMS), constituting approximately 43.3% of the total number of websites worldwide. This makes the CMS a lucrative target for cyber criminals.
According to WPSCan’s blog post, threat actors are exploiting a stored cross-site scripting (XSS) vulnerability in the plugin that allows an unauthenticated user to elevate privileges through specially crafted HTTP requests. LiteSpeed Cache plugin versions older than 5.7.0.1 are vulnerable to a high-severity (8.8) unauthenticated cross-site scripting flaw tracked as CVE-2023-40000, and disclosed by Patchstack in February 2024.
Understanding the Vulnerability
The vulnerability lies in unauthenticated stored XSS (cross-site scripting) within older versions of the plugin. Unauthenticated XSS means an attacker doesn’t need login credentials to inject malicious code.
On the other hand, Stored XSS means the malicious code gets stored on your website’s database, infecting any user who visits the compromised page. Attackers are injecting malicious JavaScript code in WordPress files and database, creating administrator users named ‘wpsupp‑user’ or ‘wp‑configuser,’ by exploiting this flaw.
You can identify malicious URLs and IPs as they generally include (startservicefounds . com/service/f.php, apistartservicefounds. com, and (cachecloudswiftcdn . com), and malware associated IP was tracked as 45.150.67.235.
Potential Dangers
LiteSpeed Cache is a popular plugin, used in over five million WordPress sites for its Google Search ranking-boosting capabilities. The flaw was addressed in October 2023 in version 5.7.0.1 while the latest version, 6.2.0.1, was released on April 25, 2024. However, despite migration to non-vulnerable versions, 1,835,000 users still run vulnerable releases, indicating infection, researchers noted.
Creating admin accounts on WordPress sites can lead to severe consequences, allowing threat actors to gain full control and perform arbitrary actions, such as injecting malware or installing malicious plugins. Exercise Caution!
This development comes after Sucuri revealed a redirect scam campaign called Mal.Metrica, which uses fake CAPTCHA prompts to redirect users to fraudulent sites.
To secure your WordPress site, update the LiteSpeed Cache plugin to the latest version, scan for malware using a reputable WordPress security scanner, and change all login credentials. WPScan recommends searching for suspicious strings in the litespeed.admin_display.messages option or presence of wpsupp-user.
RELATED TOPICS
- 5 Best CAPTCHA Plugins for WordPress Websites
- WordPress Websites Hacked with New Sign1 Malware
- WordPress Websites Being Hacked with Balada Malware
- FakeUpdates Malware Targets Millions of WordPress Sites
- Zero-Day Exploit Threatens 200,000 WordPress Websites