Cybersecurity researchers have disclosed a important safety flaw within the LiteSpeed Cache plugin for WordPress that might allow unauthenticated customers to achieve administrator privileges.
“The plugin suffers from an unauthenticated privilege escalation vulnerability which permits any unauthenticated customer to achieve Administrator degree entry after which malicious plugins might be uploaded and put in,” Patchstack’s Rafie Muhammad stated in a Wednesday report.
The vulnerability, tracked as CVE-2024-28000 (CVSS rating: 9.8), has been patched in model 6.4 of the plugin launched on August 13, 2024. It impacts all variations of the plugin, together with and prior to six.3.0.1.
LiteSpeed Cache is without doubt one of the most generally used caching plugins in WordPress with over 5 million energetic installations.
In a nutshell, CVE-2024-28000 makes it potential for an unauthenticated attacker to spoof their consumer ID and register as an administrative-level consumer, successfully granting them privileges to take over a weak WordPress web site.
The vulnerability is rooted in a consumer simulation function within the plugin that makes use of a weak safety hash that suffers from the usage of a trivially guessable random quantity because the seed.
Particularly, there are just one million potential values for the safety hash because of the truth that the random quantity generator is derived from the microsecond portion of the present time. What’s extra, the random quantity generator is just not cryptographically safe and the generated hash is neither salted nor tied to a selected request or a consumer.
“That is because of the plugin not correctly limiting the function simulation performance permitting a consumer to set their present ID to that of an administrator, if they’ve entry to a legitimate hash which will be discovered within the debug logs or by way of brute drive,” Wordfence stated in its personal alert.
“This makes it potential for unauthenticated attackers to spoof their consumer ID to that of an administrator, after which create a brand new consumer account with the administrator function using the /wp-json/wp/v2/customers REST API endpoint.”
It is essential to notice that the vulnerability can’t be exploited on Home windows-based WordPress installations because of the hash technology perform’s reliance on a PHP methodology referred to as sys_getloadavg() that is not applied on Home windows.
“This vulnerability highlights the important significance of making certain the energy and unpredictability of values which can be used as safety hashes or nonces,” Muhammad stated.
With a beforehand disclosed flaw in LiteSpeed Cache (CVE-2023-40000, CVSS rating: 8.3) exploited by malicious actors, it is crucial that customers transfer shortly to replace their situations to the newest model.
Replace
Wordfence has revealed that exploitation makes an attempt towards the flaw have already commenced in full swing, stating it “blocked 58,952 assaults focusing on this vulnerability prior to now 24 hours.”
