Analysis Summary

The recent surge in cyberattacks targeting WordPress sites underscores the critical importance of maintaining up-to-date plugins and vigilant security practices. Two notable vulnerabilities have been exploited by threat actors impacting the LiteSpeed Cache and Email Subscribers plugins.

For LiteSpeed Cache users, those running versions older than 5.7.0.1 are vulnerable to an unauthenticated cross-site scripting flaw (CVE-2023-40000) with a severity score of 8.8. This vulnerability allows attackers to inject malicious JavaScript into WordPress files or the database, creating unauthorized administrator accounts like 'wpsupp-user' or 'wp-configuser'. The presence of specific strings like "eval(atob(Strings.fromCharCode" within the "litespeed.admin_display.messages" option in the database is indicative of a compromise.

Similarly, the Email Subscribers plugin has been exploited through a critical SQL injection vulnerability (CVE-2024-2876) affecting versions 5.7.14 and older. This vulnerability permits attackers to execute unauthorized database queries, thereby establishing new administrator accounts on compromised WordPress sites. Despite its smaller user base compared to LiteSpeed Cache, this campaign demonstrates that cybercriminals will exploit any vulnerability to gain unauthorized access.

Given the severity of these attacks, WordPress administrators are strongly advised to promptly update all plugins to the latest versions. Furthermore, unnecessary plugins and components should be removed or disabled to minimize potential attack vectors. Monitoring for any unusual activity, especially the creation of new administrator accounts is crucial for detecting unauthorized access attempts.

In the event of a confirmed breach, a comprehensive cleanup process is essential. This includes deleting all rogue accounts, resetting passwords for all legitimate accounts, and restoring both the database and site files from clean backups. Site owners must exercise diligence in implementing these remedial measures to mitigate the risk posed by these attacks.

Ultimately, proactive security measures such as regular updates, diligent monitoring, and swift incident response are paramount in safeguarding WordPress sites against evolving cyber threats. By staying informed about vulnerabilities and adhering to best practices, site administrators can significantly enhance the security posture of their WordPress installations and protect their users' data from malicious exploitation.

Impact

• Cross-Site Scripting
• Unauthorized Access
• Privilege Escalation
• Information Theft

Indicators of Compromise

Remediation

• Upgrade to the latest version of the Plugin for WordPress, available from the WordPress Plugin Directory.
• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enhance the security of your WordPress site by implementing two-factor authentication.
• Keep your WordPress core and all installed plugins up to date.
• Conduct regular security audits of your WordPress site.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets
• Maintain daily backups of all computer networks and servers.
• Keep all software, operating systems, and applications updated with the latest security patches.
• Continuously monitor network and system logs for unusual or suspicious activities.
• Review and secure website code to prevent open redirect vulnerabilities.
• Educate all site administrators about security best practices and the potential risks associated with phishing emails, fake security advisories, and malicious plugins.