5 Million Sites Vulnerable: Patch Your LiteSpeed Cache Plugin Immediately

PatchStack specialists have discovered a critical vulnerability in the LiteSpeed Cache plugin for WordPress, which could allow attackers to gain administrator privileges on a site. This flaw potentially affects over 5 million websites utilizing this plugin. Wordfence has also joined PatchStack in issuing a separate advisory concerning the vulnerability.

LiteSpeed Cache, a popular caching plugin for WordPress, boasts over 5 million active installations. The vulnerability affects all versions of the plugin up to and including version 6.4, with an update released on August 13th. Users are strongly urged to update the plugin to the latest version (6.4.1) as soon as possible to avoid potential attacks.

The privilege escalation vulnerability CVE-2024-28000 (CVSS score: 9.8) allows an unauthorized attacker to obtain administrator-level access, enabling the installation of malicious plugins. The cybercriminal can forge a user ID and register with administrator rights using the REST API /wp-json/wp/v2/users, resulting in full control over the compromised site.

The issue stems from the plugin’s user simulation function, which employs a weak hash. This hash is generated based on a random number that is easily predictable since it depends on time measured to the microsecond. Consequently, there are only a million possible hash values. Furthermore, the random number generator is not cryptographically secure, and the hash is not protected by additional measures such as salting or binding to a specific request or user.

It is noteworthy that the vulnerability cannot be exploited on WordPress sites running on the Windows platform, as the hash generation function relies on the PHP sys_getloadavg() method, which is not implemented in Windows.