Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
A critical bug in a popular plugin takes sites away from their owners.
PatchStack specialists have discovered a critical vulnerability in the LiteSpeed Cache plugin for WordPress, which allows you to gain administrator rights on the site. The bug potentially affects more than 5 million sites using this plugin. The PatchStack report was also joined by Wordfence, which issued its own vulnerability warning.
LiteSpeed Cache is a popular caching plugin for WordPress, with over 5 million active installations. The bug affects all versions of the plugin up to version 6.4 inclusive, the update of which was released on August 13. Users are strongly advised to update the plugin to the latest version (6.4.1) as soon as possible to avoid potential attacks.
The CVE-2024-28000 elevation of privilege vulnerability (CVSS score: 9.8) allows an unauthorized attacker to gain administrator-level access, which makes it possible to download and install malicious plugins. A cybercriminal can spoof a user ID and log in to the system with administrator privileges using the REST API /wp-json/wp/v2/users. Such actions lead to gaining full control over the vulnerable site.
The problem is that the user simulation feature in the plugin uses a weak hash. This hash is generated based on a random number, which is easy to predict as it depends on time with microsecond accuracy. As a result, there are only a million possible hash values. In addition, the random number generator is not cryptography-secure, and the hash is not protected by additional measures such as salting or binding to a specific request or user.
It is worth noting that the vulnerability cannot be exploited on WordPress sites running on the Windows platform, since the hash generation function depends on the PHP sys_getloadavg() method, which is not implemented in Windows.
Source
PatchStack specialists have discovered a critical vulnerability in the LiteSpeed Cache plugin for WordPress, which allows you to gain administrator rights on the site. The bug potentially affects more than 5 million sites using this plugin. The PatchStack report was also joined by Wordfence, which issued its own vulnerability warning.
LiteSpeed Cache is a popular caching plugin for WordPress, with over 5 million active installations. The bug affects all versions of the plugin up to version 6.4 inclusive, the update of which was released on August 13. Users are strongly advised to update the plugin to the latest version (6.4.1) as soon as possible to avoid potential attacks.
The CVE-2024-28000 elevation of privilege vulnerability (CVSS score: 9.8) allows an unauthorized attacker to gain administrator-level access, which makes it possible to download and install malicious plugins. A cybercriminal can spoof a user ID and log in to the system with administrator privileges using the REST API /wp-json/wp/v2/users. Such actions lead to gaining full control over the vulnerable site.
The problem is that the user simulation feature in the plugin uses a weak hash. This hash is generated based on a random number, which is easy to predict as it depends on time with microsecond accuracy. As a result, there are only a million possible hash values. In addition, the random number generator is not cryptography-secure, and the hash is not protected by additional measures such as salting or binding to a specific request or user.
It is worth noting that the vulnerability cannot be exploited on WordPress sites running on the Windows platform, since the hash generation function depends on the PHP sys_getloadavg() method, which is not implemented in Windows.
Source
