Hackers Exploiting LiteSpeed Cache Bug to Gain Full Control of WordPress Sites

May 08, 2024NewsroomWeb Security / Vulnerability

A high-severity flaw impacting the LiteSpeed Cache plugin for WordPress is being actively exploited by threat actors to create rogue admin accounts on susceptible websites.

The findings come from WPScan, which said that the vulnerability (CVE-2023-40000, CVSS score: 8.3) has been leveraged to set up bogus admin users with the names wpsupp‑user and wp‑configuser.

CVE-2023-40000, which was disclosed by Patchstack in February 2024, is a stored cross-site scripting (XSS) vulnerability that could permit an unauthenticated user to elevate privileges by means of specially crafted HTTP requests.

The flaw was addressed in October 2023 in version 5.7.0.1. It’s worth noting that the latest version of the plugin is 6.2.0.1, which was released on April 25, 2024.

LiteSpeed Cache has over 5 million active installations, with statistics showing that versions other than 5.7, 6.0, 6.1, and 6.2 are still active on 16.8% of all websites.

According to the Automattic-owned company, malware typically injects into WordPress files JavaScript code hosted on domains like dns.startservicefounds[.]com and api.startservicefounds[.]com.

Creating admin accounts on WordPress sites can have severe consequences, as it allows the threat actor to gain full control over the website and perform arbitrary actions, ranging from injecting malware to installing malicious plugins.

To mitigate potential threats, users are being advised to apply the latest fixes, review all installed plugins, and delete any suspicious files and folders.

“Search in [the] database for suspicious strings like ‘eval(atob(Strings.fromCharCode,'” WPScan said, “specifically in the option litespeed.admin_display.messages.”

The development comes as Sucuri revealed a redirect scam campaign dubbed Mal.Metrica on infected WordPress sites that employs fake CAPTCHA verification prompts to take users to fraudulent and undesirable sites, which are designed to download sketchy software or entice victims into providing personal information under the guise of sending rewards.

“While this prompt seems like a routine human-verification check it is actually completely fake — and is instead trying to trick the user into clicking the button thereby initiating a redirect to malicious and scammy websites,” security researcher Ben Martin said.

Like Balada Injector, the activity takes advantage of recently disclosed security flaws in WordPress plugins to inject external scripts that impersonate CDN or web analytics services. As many as 17,449 websites have been compromised with Mal.Metrica so far in 2024.

“WordPress website owners may want to consider enabling automatic updates for core files, plugins, and themes,” Martin said. “Regular users of the web should also be wary of clicking on links that seem out of place or suspicious.”