Cybersecurity researchers have discovered a critical security flaw in the LiteSpeed cache a plugin for WordPress that can allow unauthenticated users to gain admin rights.
“The plugin suffers from unauthenticated privilege escalation, which allows any unauthenticated visitor to gain administrator-level access, allowing malicious plugins to be downloaded and installed,” Patchstack’s Rafi Muhammad. said in Wednesday’s report.
The vulnerability, identified as CVE-2024-28000 (CVSS score: 9.8), was fixed in version 6.4 of the plugin, released on August 13, 2024. It affects all versions of the plugin, including those earlier than 6.3.0.1.
LiteSpeed Cache is one of the most used WordPress caching plugins with over five million active installations.
In a nutshell, CVE-2024-28000 allows an unauthenticated attacker to spoof their user ID and register as an administrative user, effectively giving them privileges to take over a vulnerable WordPress site.
The vulnerability is rooted in the user simulation feature of the plugin, which uses a weak security hash that suffers from using a random number that can be easily guessed as a seed.
In particular, there are only one million possible values for the security hash due to the fact that the random number generator derives from a microsecond fraction of the current time. Moreover, the random number generator is not cryptographically secure, and the generated hash is not tied to a specific request or user.
“This is because the plugin doesn’t properly restrict the role simulation functionality to allow the user to set their current ID to the admin ID if they have access to a valid hash, which can be found in the debug logs or via brute force.” Wordfence said in their own readiness.
“This allows unauthenticated attackers to spoof their user ID as an admin ID and then create a new user account with the admin role using the /wp-json/wp/v2/users REST API endpoint.”
It is important to note that the vulnerability cannot be exploited on Windows-based installations of WordPress due to the fact that the hash generation function depends on a PHP method called sys_getloadavg() this is not implemented in Windows.
“This vulnerability highlights the critical importance of ensuring the strength and unpredictability of values used as security hashes, or nonces,” Muhammad said.
With a previously discovered flaw in LiteSpeed Cache (CVE-2023-40000CVSS score: 8.3) used by attackers, it is very important that users update their instances to the latest version quickly.
