The LiteSpeed Cache plugin, installed on over five million WordPress sites, was found to be vulnerable to a privilege escalation attack in versions up to and including 6.3.0.1. This vulnerability, tracked under CVE-2024-28000 (CVSS score of 9.8), allows unauthenticated attackers to impersonate administrative users by exploiting a plugin’s role simulation functionality flaw.

The vulnerability stems from the insecure implementation of the plugin’s Crawler Simulation Settings, a feature designed to optimise website performance by simulating user activity.

The flaw resides in two critical functions: async_litespeed_handler() and is_role_simulation().

The first function fails to perform proper capability or nonce checks, allowing users to trigger a simulated crawl. This process generates a $hash value, stored in the website’s database.

The second function, ‘is_role_simulation(),’ uses this ‘$hash’ value to set the current user’s role based on a corresponding cookie value. If an attacker can obtain or brute force this ‘$hash’, they can effectively spoof their user ID to an administrator’s.

Once an attacker has administrative access, they can exploit the WordPress Rest API to create new administrative accounts, install malicious plugins, or access sensitive information.

Given the ease with which the ‘$hash’ can be brute-forced — due to its limited length and lack of expiration — this vulnerability presents a significant threat to WordPress site owners.

Given the critical nature of this vulnerability, researchers believe it will likely be actively exploited in the future.

This is an image of litespeed cache rand 1 — *$hash value being generated via the Str::rand() function. | Source: Wordfence*

The vulnerability has been patched in LiteSpeed Cache version 6.4.1. Researchers have advised users to update to this latest version as failure to do so could leave websites vulnerable to attacks, resulting in total site compromise.

They have also advised the coders and users to scrutinise functions like ‘wp_set_current_user()‘ that accept user input, particularly when they interact with cookies or headers.

“Keep an eye out for the function wp_set_current_user() where it accepts user input, especially if the value can be set via a cookie or header making it possible to spoof the current user with specific requests,” researchers cautioned. ” When this happens a user may be able to spoof their user ID to that of an administrator and then leverage functionality such as the WordPress REST API to steal sensitive information, install plugins, create administrative user accounts, and more.”

Recently, the JS Help Desk WordPress plugin was found vulnerable to an RCE flaw. Last month, four WordPress plugins were affected by the supply chain attacks and the same attack targeted five WordPress plugins in June 2024.

In the News: North Korean Kimsuky use MoonPeak trojan in cloud campaign