A vulnerability classified as high-severity has been discovered in the LiteSpeed Cache plugin for WordPress, which is currently being exploited by cybercriminals to forge unauthorized administrator accounts on affected websites. This alert originated from WPScan, which detailed that the flaw, identified as CVE-2023-40000 with a CVSS score of 8.3, is being leveraged to create fictitious admin users named ‘wpsupp-user’ and ‘wp-configuser’.
The vulnerability, revealed by Patchstack in February 2024, pertains to stored cross-site scripting (XSS), allowing unauthenticated users to escalate their privileges through deliberately crafted HTTP requests. Notably, this serious flaw was addressed in version 5.7.0.1 of the plugin released in October 2023, with the most recent update being version 6.2.0.1, launched on April 25, 2024.
LiteSpeed Cache, which boasts over five million active installations, remains vulnerable as nearly 16.8% of all websites still utilize versions preceding 5.7, 6.0, 6.1, and 6.2. WPScan explains that the malware typically infects WordPress files with JavaScript sourced from domains such as dns.startservicefounds[.]com and api.startservicefounds[.]com.
The creation of unauthorized admin accounts can lead to devastating outcomes for website owners, granting adversaries unfettered access to their platforms. This access allows for a range of malicious actions, including the injection of further malware and the installation of rogue plugins.
To counter potential security risks, it is imperative for users to update to the latest version of the plugin promptly. Additionally, they should conduct thorough reviews of all installed plugins and eliminate any files or directories that look suspicious. As WPScan notes, searching the database for unusual strings such as ‘eval(atob(Strings.fromCharCode,’ within the ‘litespeed.admin_display.messages’ option may also be beneficial.
This vulnerability emerges against the backdrop of another significant cybersecurity threat: the Mal.Metrica scam campaign, which employs fake CAPTCHA verification prompts to redirect users from compromised WordPress sites to illegitimate websites. These sites are designed to either download malicious software or deceive users into disclosing personal information under false pretenses of earning rewards, as highlighted by security researcher Ben Martin.
Similar to the exploits of the Balada Injector, Mal.Metrica takes advantage of newly unveiled security vulnerabilities in WordPress plugins, facilitating the injection of scripts that mimic content delivery networks or web analytics services. Thus far in 2024, the Mal.Metrica campaign has affected approximately 17,449 websites.
Martin advises WordPress site operators to consider enabling automatic updates for core files, plugins, and themes, and suggests that regular internet users remain vigilant against clicking on suspicious links that could lead to compromise.
