2 min Security

Vulnerability in popular WordPress plugin gives hackers complete control

Vulnerability in popular WordPress plugin gives hackers complete control

LiteSpeed Cache, a popular WordPress plugin for site optimization, appears to contain a vulnerability that allows hackers to give themselves admin rights over the site and effectively take over from the rightful owner.

The plugin would leave some 5 million WordPress sites vulnerable to such escalation-of-privileges attacks. The vulnerability came to light thanks to sleuthing by a participant in Patchstack‘s bug detection program. That company provides proprietary software for detecting vulnerabilities in WordPress sites, plugins, and themes. The discoverer can expect a reward of 14,400 dollars (nearly 13,000 euros), which is apparently the highest amount ever paid for such a case.

The LiteSpeed Cache plugin is an all-in-one optimization tool that provides server-side caching and a host of other optimizations to cache specific parts of a site. This includes options to determine how long to keep elements in cache and what never to cache. The plugin supports WordPress Multisite, a feature that lets users manage multiple WordPress sites from a single dashboard. It is compatible with popular plugins such as WooCommerce and Yoast SEO.

Weak security hash

The vulnerability lies in a simulation feature in the site crawler (which determines which components to cache). Due to various weaknesses, its security hash can only generate a million values. Once created, it doesn’t change, either. That means an attempt to brute-force access would be successful after only a few hours.

The only condition is knowing that the administrator’s user ID and adding that to the litespeed_role cookie. This is often not very difficult, as in many cases it is only the number ‘1’.

The vulnerability has been designated CVE-2024-28000 and has since been patched. As of version 6.4 it’s no longer present. Incidentally, the leak only affects the free version of LiteSpeed Cache. Paying users are actively protected.

Also read: WordPress pauses updates to plugins to combat supply chain attacks