Millions of WordPress sites have been potentially exposed to severe security risks due to the identification of a critical vulnerability in the LiteSpeed Cache plugin.
LiteSpeed Cache is open-source and the most popular WordPress site acceleration plugin, with over 5 million active installations and support for WooCommerce, bbPress, ClassicPress, and Yoast SEO.
This flaw, discovered by John Blackbourn through the Patchstack zero-day bug bounty program, allows unauthorized users to gain administrator-level access. It could lead to the installation of malicious plugins and the compromise of affected websites.
The unauthenticated privilege escalation vulnerability (CVE-2024-28000) was found in the plugin’s user simulation feature and is caused by a weak hash check in LiteSpeed Cache up to and including version 6.3.0.1.
The vulnerability emerges from the plugin’s weak security hash utilized in its client simulation feature. The hash is made through an unreliable random number generator and put away without being salted or attached to a particular client demand.
With only 1,000,000 potential qualities, Patchstack cautioned the hash is generally simple to figure, permitting attackers to iterate through all possibilities to discover the correct hash and simulate an administrator user.
The Patchstack explained, “We were able to determine that a brute force attack that iterates all one million known possible values for the security hash and passes them in the litespeed_hash cookie – even running at a relatively low three requests per second – is able to gain access to the site as any given user ID within between a few hours and a week.”
Additionally, the vulnerability can be exploited even if the plugin’s crawler feature is initially disabled. Attackers can trigger the generation of the weak security hash via an unprotected Ajax handler, making sites running the LiteSpeed Cache plugin potentially vulnerable, regardless of their specific settings.
” Patchstack added, “This vulnerability highlights the critical importance of ensuring the strength and unpredictability of values that are used as security hashes or nonces.
Recommended Actions for Users
After warning by Patchstack, the LiteSpeed group has delivered a a patch for the vulnerability, improving hash complexity, introducing one-time-use hashes and implementing stricter validation procedures.
“We initially recommend using the hash_equals function for the hash value comparison process to avoid possible timing attacks,” Patchstack suggested. “We also recommend using a more secure random value generator such as the random_bytes function. This was not implemented due to the need for legacy PHP support.”
The update to version 6.4 is advised for users of the LiteSpeed Cache plugin immediately to mitigate this security risk.
