August 22, 2024Ravie LakshmananWebsite Security / Vulnerability

Cybersecurity researchers have discovered a critical security flaw in the LiteSpeed ​​Cache plugin for WordPress that could allow unauthenticated users to gain administrative privileges.

“The plugin suffers from an unauthenticated privilege escalation vulnerability, which could allow unauthenticated visitors to gain administrator-level access, subsequently allowing malicious plugins to be uploaded and installed,” Patchstack’s Rafie Muhammad said in a report on Wednesday.

The vulnerability, tracked as CVE-2024-28000 (CVSS score: 9.8), was patched in version 6.4 of the plugin released on August 13, 2024. It affects all versions of the plugin, including and prior to 6.3.0.1.

LiteSpeed ​​​​Cache is one of the most widely used caching plugins in WordPress with over five million active installations.

In short, CVE-2024-28000 allows an unauthenticated attacker to spoof their user ID and register as an administrator-level user, effectively gaining permissions to take over a vulnerable WordPress site.

The vulnerability is rooted in a user simulation function in the plugin that leverages a weak security hash that suffers from the use of an easily guessable random number as the seed.

Specifically, there are only one million possible values ​​for the security hash, because the random number generator is derived from the microsecond portion of the current time. Furthermore, the random number generator is not cryptographically secure, and the generated hash is not salted or tied to a specific request or user.

“This is because the plugin does not properly restrict the role simulation functionality, preventing a user from setting their current ID to that of an administrator if they have access to a valid hash found in the debug logs or via brute force,” Wordfence said in its own alert.

“This allows unauthenticated attackers to spoof their user ID by replacing it with an administrator’s. They can then create a new user account with the administrator role using the /wp-json/wp/v2/users REST API endpoint.”

It is important to note that the vulnerability cannot be exploited on Windows-based WordPress installations because the hash generation function relies on a PHP method named sys_getloadavg() that is not implemented on Windows.

“This vulnerability underscores the importance of ensuring the strength and unpredictability of values ​​used as security hashes or nonces,” Muhammad said.

Due to malicious actors exploiting a previously disclosed flaw in LiteSpeed ​​Cache (CVE-2023-40000, CVSS score: 8.3), it is imperative that users update their instances to the latest version as soon as possible.