Updating to version 6.4 or higher will prevent exploitation of the vulnerability that allows attacker to gain admin access.
More than five million WordPress sites are at risk of compromise due to a critical flaw in the LiteSpeed Cache plugin discovered in early August, according to researchers at Patchstack.
The unauthenticated privilege escalation vulnerability, CVE-2024-28000, allows an attacker to gain administrator access and potentially upload and install malicious plugins.
According to a the Patchstack report, the vulnerability exploits a weak security hash in the user simulation feature that emulates a logged-in user of a given ID and crawls a site to pre-populate the caches for its pages. The security hash protects the setting of the user ID.
The security hash generation, however, had several problems that made it relatively easy to guess. Firstly, its random number generator only used the microsecond portion of the current time as its seed, which meant there were only one million possible values for the hash.
Secondly, the random number generator was not cryptographically secure, so the “random” numbers it produced could be determined if the seed was known. And third, the hash was generated once and saved, and it was not salted with a secret.
The hash can be used to create admin-level accounts
All this means that a potential attacker could brute force the hash by cycling through possible values. While the attack requires knowledge of an administrator user ID, the researchers noted that user ID 1 works in many cases. The attacker can then use the hash to create new administrator-level accounts.
Although this attack requires that the crawler has been enabled (it is disabled by default) and used at least once to generate a hash, the researchers further discovered than an unprotected Ajax handler could be called to trigger hash generation. “This means all sites using LiteSpeed Cache — not just those with its crawler feature enabled — are vulnerable,” the report said.
Windows systems not affected
Windows systems are immune to the vulnerability, the report continued, because a function required to generate the hash is not available in Windows, which, it said, “means the hash cannot be generated on Windows-based WordPress instances, making the vulnerability exploitable on other [operating systems] such as Linux environments.”
LiteSpeed “strongly recommends” that users upgrade to version 6.4 or higher of the plugin immediately, and also check their sites’ user lists for any unrecognized accounts with administrator privileges and delete them. If an upgrade isn’t immediately possible, it offered some temporary measures to mitigate the risk in its blog post describing the issue.
