The LiteSpeed Cache plugin for WordPress is actively used in the wild.

Recent studies have shown that attackers are actively exploiting a serious vulnerability in the LiteSpeed Cache plugin for WordPress, allowing them to take control of websites. Researchers from WPScan reported that this vulnerability is designated asCVE-2023-40000and has a CVSS score of8.3This is characteristic of insufficient input data sanitization during the generation of web pages, which leads to the possibility of XSS attacks (cross-site scripting) on web resources utilizing LiteSpeed Cache.

Plugin description

The LiteSpeed Cache plugin for WordPress (LSCWP) is a versatile tool for speeding up websites and features unique server-side caching along with numerous optimization functions. Since its release, it has been installed on more than5 millionWhile studying this vulnerability, experts discovered that attackers can create fake administrator accounts with nameswpsupp-userandwp-configuseron hacked resources. These accounts allow for complete control over the site.

Progress of research

A vulnerability was identified inFebruary 2024Experts from Patchstack have reported that the exploitation process of this vulnerability can be initiated by an unauthenticated user who uses carefully crafted HTTP requests to escalate their privileges.

Sale villa in Buyukcekmece with city view 2 324 254 $

Turkey,Buyukcekmece

5 Bedrooms

5 Bathrooms

369 м²

Sale villa in Kalkan with sea view 1 723 753 $

Turkey,Kalkan

5 Bedrooms

5 Bathrooms

460 м²

Sale villa in Fethiye with mountain view 435 824 $

Turkey,Fethiye

4 Bedrooms

3 Bathrooms

260 м²

Sale villa in Beykoz with sea view 4 556 829 $

Turkey,Beykoz

5 Bedrooms

5 Bathrooms

328 м²

Sale villa in Fethiye with mountain view 971 102 $

Turkey,Fethiye

4 Bedrooms

3 Bathrooms

210 м²

Sale villa in Yalikavak with sea view 2 943 328 $

Turkey,Yalikavak

5 Bedrooms

5 Bathrooms

320 м²

WPScan also noted that attackers can inject malicious scripts into vulnerable versions of the LiteSpeed plugin. During the monitoring of attacks, a significant increase in requests to fraudulent URLs was observed on April 2 and April 27.

Active IP addresses

Research has shown that the most active IP addresses have been identified, which likely scanned vulnerable websites. These addresses include:

94.102.51.144with more than 1.2 million requests
31.43.191.220with more than 70 thousand requests

The vulnerability has been fixed inOctober 2023with the release of the version5.7.0.1These studies also highlighted indicators of compromise related to these attacks, including fraudulent URLs.

Recommendations from researchers

Researchers also strongly recommend being cautious of IP addresses associated with malware, for example45.150.67.235Stay updated with the latest news and updates in the field of cybersecurity by following me on Twitter: @securityaffairs, as well as on Facebook and Mastodon. Be careful and protect your resources from potential threats!