Article Details
Scrape Timestamp (UTC): 2024-05-07 21:44:36.957
Original Article Text
Click to Toggle View
Hackers exploit LiteSpeed Cache flaw to create WordPress admins. Hackers have been targeting WordPress sites with an outdated version of the LiteSpeed Cache plugin to create administrator users and gain control of the websites. LiteSpeed Cache (LS Cache) is advertised as a caching plugin used in over five million WordPress sites that helps speed up page loads, improve visitor experience, and boost Google Search ranking. Automattic's security team, WPScan, observed in April increased activity from threat actors scanning for and compromising WordPress sites with versions of the plugin older than 5.7.0.1, which are vulnerable to a high-severity (8.8) unauthenticated cross-site scripting flaw tracked as CVE-2023-40000. From one IP address, 94[.]102[.]51[.]144, there were more than 1.2 million probing requests when scanning for vulnerable sites. WPScan reports that the attacks employ malicious JavaScript code injected into critical WordPress files or the database, creating administrator users named 'wpsupp‑user' or 'wp‑configuser.' Another sign of infection is the presence of the "eval(atob(Strings.fromCharCode" string in the "litespeed.admin_display.messages" option in the database. A large part of LiteSpeed Cache users have migrated to more recent versions that are not impacted to CVE-2023-40000, but a significant number, up to 1,835,000, still run a vulnerable release. Targeting Email Subscribers plugin The ability to create admin accounts on WordPress sites gives attackers full control over the website, allowing them to modify content, install plugins, change critical settings, redirect traffic to unsafe sites, distribute malware, phishing, or steal available user data. At the start of the week, Wallarm reported about another campaign targeting a WordPress plugin named "Email Subscribers" to create administrator accounts. The hackers leverage CVE-2024-2876, a critical SQL injection vulnerability with a severity score of 9.8/10 that affects plugin versions 5.7.14 and older. Though "Email Subscribers" is far less popular than LiteSpeed Cache, having a total of 90,000 of active installations, the observed attacks show that hackers will not shy away from any opportunity. WordPress site admins are recommended to update plugins to the latest version, remove or disable components that are not needed, and monitor for new admin accounts being created. A full site cleanup is mandatory in the event of a confirmed breach. The process requires deleting all rogue accounts, resetting passwords for all existing accounts, and restoring the database and site files from clean backups.
Daily Brief Summary
Hackers are exploiting an outdated LiteSpeed Cache plugin vulnerability on WordPress sites to create admin accounts and control the websites.
The LiteSpeed Cache plugin, used by over five million sites, speeds up page loads and improves Google rankings; older versions prior to 5.7.0.1 harbor a cross-site scripting flaw.
More than 1.2 million probes from a single IP were recorded, indicating a wide-scale attempt to discover and compromise vulnerable sites.
Attack tactics involve injecting malicious JavaScript into WordPress files or databases to establish unauthorized admin users.
Despite updates, approximately 1.835 million installations of the LiteSpeed Cache plugin remain vulnerable due to non-upgradation.
A similar exploit was observed with the less popular "Email Subscribers" plugin, highlighting a continuous risk across various plugins.
Recommendations for site admins include updating plugins, removing non-essential components, and vigilant monitoring for unauthorized admin creation.
Following a breach, comprehensive site cleanup procedures including account deletions, password resets, and database file restoration from clean backups are mandatory.