The LiteSpeed Cache plugin for WordPress is actively used in the wild.

Recent studies have shown that attackers are actively exploiting a serious vulnerability in the LiteSpeed Cache plugin for WordPress, allowing them to take control of websites. Researchers from WPScan reported that this vulnerability is designated asCVE-2023-40000and has a CVSS score of8.3This is characteristic of insufficient input data sanitization during the generation of web pages, which leads to the possibility of XSS attacks (cross-site scripting) on web resources utilizing LiteSpeed Cache.

Plugin description

The LiteSpeed Cache plugin for WordPress (LSCWP) is a versatile tool for speeding up websites and features unique server-side caching along with numerous optimization functions. Since its release, it has been installed on more than5 millionWhile studying this vulnerability, experts discovered that attackers can create fake administrator accounts with nameswpsupp-userandwp-configuseron hacked resources. These accounts allow for complete control over the site.

Progress of research

A vulnerability was identified inFebruary 2024Experts from Patchstack have reported that the exploitation process of this vulnerability can be initiated by an unauthenticated user who uses carefully crafted HTTP requests to escalate their privileges.

Sale flat in Bahcelievler 160 358,00 $

Turkey,Bahcelievler

1 Bedroom

1 Bathroom

95 м²

Sale flat in Istanbul 856 227,00 $

Turkey,Istanbul

5 Bedrooms

2 Bathrooms

170 м²

Sale other properties in Mahmutlar 242 081,00 $

Turkey,Mahmutlar

1 Bedroom

1 Bathroom

86 м²

Sale flat in Izmir with sea view 630 000,00 $

Turkey,Izmir

3 Bedrooms

2 Bathrooms

178 м²

Sale flat in Istanbul 240 974,00 $

Turkey,Istanbul

2 Bedrooms

1 Bathroom

77 м²

Sale flat in Mersin 76 724,00 $

Turkey,Mersin

3 Bedrooms

76.5 м²

WPScan also noted that attackers can inject malicious scripts into vulnerable versions of the LiteSpeed plugin. During the monitoring of attacks, a significant increase in requests to fraudulent URLs was observed on April 2 and April 27.

Active IP addresses

Research has shown that the most active IP addresses have been identified, which likely scanned vulnerable websites. These addresses include:

94.102.51.144with more than 1.2 million requests
31.43.191.220with more than 70 thousand requests

The vulnerability has been fixed inOctober 2023with the release of the version5.7.0.1These studies also highlighted indicators of compromise related to these attacks, including fraudulent URLs.

Recommendations from researchers

Researchers also strongly recommend being cautious of IP addresses associated with malware, for example45.150.67.235Stay updated with the latest news and updates in the field of cybersecurity by following me on Twitter: @securityaffairs, as well as on Facebook and Mastodon. Be careful and protect your resources from potential threats!