Analysis Summary

A critical security flaw has been uncovered in the WordPress LiteSpeed Cache plugin, which could allow unauthenticated users to gain administrator privileges. This vulnerability, identified as CVE-2024-28000 with a CVSS score of 9.8, is rooted in the plugin's user simulation feature. The flaw permits attackers to spoof their user ID and register as administrative users, granting them full control over the affected WordPress site.

The vulnerability was disclosed by cybersecurity researchers and has since been patched in version 6.4 of the plugin, released on August 13, 2024. All versions of the plugin up to 6.3.0.1 are affected. The underlying issue stems from the use of a weak security hash in the plugin generated by a trivially guessable random number derived from the microsecond portion of the current time.

This method only allows for one million possible values making it susceptible to brute force attacks. Additionally, the random number generator is not cryptographically secure and the hash is neither salted nor tied to specific requests or users, further weakening its security. The vulnerability allows attackers to access a valid hash found in debug logs or obtained through brute force enabling them to escalate their privileges to an administrator level.

Exploiting this vulnerability attackers can create a new user account with administrator privileges using the /wp-json/wp/v2/users REST API endpoint. However, it's worth noting that this vulnerability cannot be exploited on Windows-based WordPress installations due to the reliance on a PHP method, sys_getloadavg(), which is not implemented on Windows systems. Despite this limitation, the vulnerability poses a significant risk to millions of WordPress sites particularly those running on non-Windows environments.

Given the severity of this vulnerability and the potential for exploitation, all users of the LiteSpeed Cache plugin must update to the latest version immediately. This incident also underscores the importance of using strong, unpredictable values for security hashes or nonces to prevent such vulnerabilities from being exploited. With the recent history of another vulnerability in LiteSpeed Cache (CVE-2023-40000) being exploited, the urgency to patch this flaw cannot be overstated.

Impact

• Privilege Escalation
• Unauthorized Access
• Identity Theft

Indicators of Compromise

CVE

• CVE-2024-28000

Affected Vendors

Remediation

• Upgrade to the latest version of LiteSpeed Cache Plugin for WordPress, available from the LiteSpeed Technologies Website.
• Enhance the security of your WordPress site by implementing two-factor authentication.
• Keep your WordPress core and all installed plugins up to date.
• Conduct regular security audits of your WordPress site.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets
• Maintain daily backups of all computer networks and servers.
• Keep all software, operating systems, and applications updated with the latest security patches.
• Continuously monitor network and system logs for unusual or suspicious activities.
• Review and secure website code to prevent open redirect vulnerabilities.
• Educate all site administrators about security best practices and the potential risks associated with phishing emails, fake security advisories, and malicious plugins.