Cybersecurity experts have reported a significant vulnerability within the LiteSpeed Cache plugin for WordPress, one of the platform’s most commonly used caching solutions, boasting over five million active installations. This flaw, identified as CVE-2024-28000, has the potential to enable unauthenticated individuals to obtain administrator access to affected WordPress sites, posing a critical risk to the security of these installations.
According to a report from Patchstack’s Rafie Muhammad, the vulnerability allows nefarious actors to exploit unauthenticated privilege escalation, which facilitates unauthorized visitors in gaining administrator-level access. Once obtained, attackers could upload and install malicious plugins, further compromising site security. This vulnerability received a high severity rating with a CVSS score of 9.8.
The issue stems from a weakness in the plugin’s user simulation feature, which utilizes a security hash based on a weak and easily guessable random number generator. This method reduces the security hash to one million possible values, rendering it vulnerable to discovery through brute-force attacks or exposed debug logs. As such, attackers can manipulate their user ID to assume an administrator role and subsequently create new accounts with administrative privileges via the WordPress REST API endpoint.
The weakness has been addressed in version 6.4 of the LiteSpeed Cache plugin, which was released on August 13, 2024. Prior versions, including 6.3.0.1 and earlier, remain vulnerable, and it is crucial for users of the plugin to update to the latest version promptly, especially in light of previous exploits associated with the tool, such as CVE-2023-40000, which had already been targeted by malicious actors.
Importantly, exploitation attempts have already been observed, with Wordfence reporting nearly 59,000 attacks targeting this specific vulnerability within the last 24 hours. These early indicators underscore the immediate urgency for businesses operating WordPress sites to implement updates and fortify their security postures.
However, it is noteworthy that this vulnerability is not exploitable on Windows-based WordPress installations, due to the reliance of the hash generation function on a PHP method that is unsupported in that operating environment. This aspect is critical for organizations to consider when assessing their risk landscape.
The implications of CVE-2024-28000 highlight a broader concern for cybersecurity, emphasizing the necessity for maintaining robust and unpredictable values in security hashes. Business owners must remain vigilant in monitoring their resources for vulnerabilities, as exploitation methods could include tactics and techniques laid out within the MITRE ATT&CK framework, such as privilege escalation and initial access strategies.
In summary, the discovery of this flaw in a widely utilized WordPress plugin demands immediate action from site administrators. Implementing recommended updates and understanding the potential for exploitation can help mitigate risks and safeguard against unauthorized access and potential data breaches. Staying abreast of these vulnerabilities and threats is essential for maintaining a secure digital presence.
