A significant security flaw in the LiteSpeed Cache plugin for WordPress has been identified, exposing millions of sites to potential compromise. The vulnerability, designated as CVE-2024-28000, has a severe CVSS score of 9.8, indicating its critical nature. This flaw allows unauthenticated users to gain administrator-level access, a situation that could lead to the installation of malicious plugins and a full takeover of affected WordPress sites. The issue impacts all versions of the plugin up to and including 6.3.0.1.
The root of the problem lies in the plugin’s user simulation feature, which relies on a weak security hash. This hash is generated using a non-cryptographically secure random number derived from the microsecond portion of the current time. The limited number of possible values for the hash, combined with the lack of salting and request-specific ties, makes it vulnerable to brute-force attacks and hash extraction from debug logs. Consequently, attackers can spoof their user IDs to gain administrative privileges.
The vulnerability was disclosed by Patchstack’s Rafie Muhammad and reported by Wordfence, who highlighted that the issue allows attackers to use the /wp-json/wp/v2/users REST API endpoint to create new administrative user accounts. This flaw is significant because it bypasses authentication requirements, granting unauthorized individuals full control over the site. Notably, the vulnerability does not affect Windows-based WordPress installations due to the absence of the sys_getloadavg() PHP method on these systems.
To address this critical security issue, LiteSpeed Cache has been updated to version 6.4 as of August 13, 2024. Users are strongly advised to upgrade their installations immediately to mitigate the risk of exploitation. This flaw underscores the need for robust security measures and the importance of timely updates to safeguard against vulnerabilities that could have severe implications for site security and integrity.
Reference:
