WordPress LiteSpeed Cache Plugin Vulnerability Gives Unauthorized Access to Administrators
A severe security flaw has been reported in the LiteSpeed Cache plugin designed for WordPress, allowing unauthorized individuals to obtain administrative privileges.
“An unauthenticated privilege escalation vulnerability exists in the plugin, enabling any visitor without authentication to achieve Administrator status, paving the way for the installation of malicious plugins,” highlighted a report from Patchstack’s Rafie Muhammad published on Wednesday.
This security loophole, identified as CVE-2024-28000 (CVSS score: 9.8), has been rectified in version 6.4 of the plugin, which was released on August 13, 2024. It affects all plugin versions, including those preceding 6.3.0.1.
LiteSpeed Cache ranks among the most widely adopted caching plugins for WordPress, boasting over five million active installations.
In essence, the CVE-2024-28000 vulnerability facilitates an unauthenticated attacker in spoofing their user ID and enrolling as a high-level administrator, therefore securing permissions to seize control of a vulnerable WordPress site.
The flaw is rooted in a functionality within the plugin, allowing user simulation by employing a fragile security hash derived from a guessable random number as the seed.
Primarily, due to the random number generator being drawn from the microsecond segment of the current time, the security hash only has one million feasible values. Moreover, the random number generator lacks cryptographic robustness, and the hash it produces lacks salting or connection to a specific request or user.
“The plugin’s inadequate restriction on the role simulation functionality permits a user to set their current ID to that of an administrator, provided they possess a valid hash, which could be uncovered in debug logs or through brute force,” mentioned Wordfence in its notification.
“This enables unauthorized attackers to fake their user ID as an administrator, then establish a new user account with admin privileges using the /wp-json/wp/v2/users REST API endpoint.”
It is crucial to acknowledge that this loophole cannot be exploited on WordPress installations running on Windows due to the hash generation process relying on a PHP method named sys_getloadavg(), which is not supported on Windows.
“This vulnerability underscores the pivotal necessity of maintaining the strength and unpredictability of the values utilized as security hashes or nonces,” emphasized Muhammad.
Given a prior vulnerability in LiteSpeed Cache (CVE-2023-40000, CVSS score: 8.3) exploited by malicious actors, it is imperative for users to swiftly update their installations to the latest version.
About Author
