©2021 Reporters Post24. All Rights Reserved.
Up to 5 million installations of the LiteSpeed Cache WordPress plugin are vulnerable to an exploit that allows hackers to gain administrator rights and upload malicious files and plugins
The vulnerability was first reported to Patchstack, a WordPress security company, which notified the plugin developer and waited until the vulnerability was patched before making a public announcement.
The plugin is used on over five million websites as an all-in-one site acceleration solution. It features a server-level cache and a collection of optimization features.
John Blackbourn, a security researcher and member of the Patchstack Alliance community, discovered that LiteSpeed Cache suffers from an unauthenticated privilege escalation flaw. Any visitor to the affected website could gain administrator-level access, which attackers could exploit to upload and install malicious plugins.
The flaw lies in the way the plugin protects one of its features, called user simulation. This feature is a crawler that pre-populates the caches for pages on a schedule. However, its security hash, which is supposed to protect the feature, was found to be generated by a weak random generation method.
Patchstack founder Oliver Sild discussed this with Search Engine Journal and provided background information about how the vulnerability was discovered and how serious it is.
Sild shared:
“It was reported to through the Patchstack WordPress Bug Bounty program which offers bounties to security researchers who report vulnerabilities. The report qualified for a $14,400 USD bounty. We work directly with both the researcher and the plugin developer to ensure vulnerabilities get patched properly before public disclosure.
We’ve monitored the WordPress ecosystem for possible exploitation attempts since the beginning of August and so far there are no signs of mass-exploitation. But we do expect this to become exploited soon though.”
Asked how serious this vulnerability is, Sild responded:
“It’s a critical vulnerability, made particularly dangerous because of its large install base. Hackers are definitely looking into it as we speak.”
What Caused The Vulnerability?
According to Patchstack, the compromise arose because of a plugin feature that creates a temporary user that crawls the site in order to then create a cache of the web pages. A cache is a copy of web page resources that stored and delivered to browsers when they request a web page. A cache speeds up web pages by reducing the amount of times a server has to fetch from a database to serve web pages.
The technical explanation by Patchstack:
“The vulnerability exploits a user simulation feature in the plugin which is protected by a weak security hash that uses known values.
…Unfortunately, this security hash generation suffers from several problems that make its possible values known.”
Recommendation
Users of the LiteSpeed WordPress plugin are encouraged to update their sites immediately because hackers may be hunting down WordPress sites to exploit. The vulnerability was fixed in version 6.4.1 on August 19th.
Users of the Patchstack WordPress security solution receive instant mitigation of vulnerabilities. Patchstack is available in a free version and the paid version costs as little as $5/month.
