WordPress site owners are currently facing a significant security threat due to a vulnerability in a popular plugin. The LiteSpeed Cache, which is installed on over five million sites, enhances website performance by speeding up page loads and improving user experience.
However, versions prior to 5.7.0.1 contain a critical security flaw that hackers are exploiting to gain unauthorized administrative access to websites. Find out more about the LiteSpeed cache flaw and how you can protect your WordPress site below!
Understanding the LiteSpeed Cache Vulnerability
The vulnerability in question, identified as CVE-2023-40000, is a severe (8.8 out of 10) unauthenticated cross-site scripting (XSS) issue. It allows hackers to execute malicious scripts on a WordPress site without needing to authenticate.
Hackers have been observed making over 1.2 million scanning attempts from a single IP address to identify sites using the vulnerable plugin versions. Successful attacks involve the injection of harmful JavaScript into essential WordPress files or directly into the database.
According to WPScan, this leads to the creation of new administrator accounts with names like ‘wpsupp-user’ or ‘wp-configuser.’ If a WordPress database contains the string “eval(atob(String.fromCharCode” in the “litespeed.admin_display.messages” setting, it is a clear indication of a compromised site.
Malicious Javascript code creating rogue WordPress admin accounts (Source: WPScan)
Despite many users updating to safer versions, around 1,835,000 WordPress sites are estimated to still be running a vulnerable version of the LiteSpeed Cache plugin, making them vulnerable to attacks.
Email Subscribers Plugin Also Targeted
Another worrying trend is the targeting of the Email Subscribers plugin, which, although less popular than LiteSpeed Cache with around 90,000 installations, has not escaped the attention of cybercriminals.
This plugin was found to have a critical SQL injection vulnerability (CVE-2024-2876) in versions 5.7.14 and earlier. This vulnerability is extremely severe, with a score of 9.8 out of 10, allowing attackers to create administrator accounts and gain full control over the website.
Preventive Measures and Recovery Tips
To stay safe, WordPress site administrators are advised to:
- Regularly update all plugins to their latest versions.
- Remove or disable any unnecessary plugins to reduce potential attack vectors.
- Keep an eye on the user accounts list for any unexpected admin accounts.
In case of a breach, a thorough site cleanup is essential. This involves deleting all unauthorized accounts, resetting passwords for all user accounts, and restoring the database and site files from secure backups to ensure no traces of the intrusion remain.
Final Word
By staying informed about potential vulnerabilities and following best practices for security, WordPress site owners can significantly reduce their risk of becoming a target for cyberattacks.