Cybersecurity researchers have disclosed a crucial security flaw within the LiteSpeed Cache plugin for WordPress that would allow unauthenticated customers to realize administrator privileges.
“The plugin suffers from an unauthenticated privilege escalation vulnerability which permits any unauthenticated customer to realize Administrator stage entry after which malicious plugins might be uploaded and put in,” Patchstack’s Rafie Muhammad mentioned in a Wednesday report.
The vulnerability, tracked as CVE-2024-28000 (CVSS rating: 9.8), has been patched in model 6.4 of the plugin launched on August 13, 2024. It impacts all variations of the plugin, together with and prior to six.3.0.1.
LiteSpeed Cache is among the most generally used caching plugins in WordPress with over 5 million energetic installations.
In a nutshell, CVE-2024-28000 makes it potential for an unauthenticated attacker to spoof their consumer ID and register as an administrative-level consumer, successfully granting them privileges to take over a susceptible WordPress web site.
The vulnerability is rooted in a consumer simulation function within the plugin that makes use of a weak security hash that suffers from the usage of a trivially guessable random quantity because the seed.
Particularly, there are just one million potential values for the security hash on account of the truth that the random quantity generator is derived from the microsecond portion of the present time. What’s extra, the random quantity generator is just not cryptographically safe and the generated hash is neither salted nor tied to a selected request or a consumer.
“That is as a result of plugin not correctly limiting the function simulation performance permitting a consumer to set their present ID to that of an administrator, if they’ve entry to a legitimate hash which might be discovered within the debug logs or by brute power,” Wordfence mentioned in its personal alert.
“This makes it potential for unauthenticated attackers to spoof their consumer ID to that of an administrator, after which create a brand new consumer account with the administrator function using the /wp-json/wp/v2/customers REST API endpoint.”
It is essential to notice that the vulnerability can’t be exploited on Home windows-based WordPress installations as a result of hash era perform’s reliance on a PHP methodology known as sys_getloadavg() that is not carried out on Home windows.
“This vulnerability highlights the crucial significance of guaranteeing the energy and unpredictability of values which might be used as security hashes or nonces,” Muhammad mentioned.
With a beforehand disclosed flaw in LiteSpeed Cache (CVE-2023-40000, CVSS rating: 8.3) exploited by malicious actors, it is crucial that customers transfer rapidly to replace their cases to the newest model.
