CVE-2024-28000 in LiteSpeed Cache Plugin Actively Exploited: Over 30,000 Attacks Blocked in 24 Hours

by do son · August 22, 2024

A critical security vulnerability in the widely used LiteSpeed Cache plugin for WordPress has come under active exploitation, with over 30,000 attack attempts blocked in just the past 24 hours, according to Wordfence. The vulnerability, tracked as CVE-2024-28000, carries a CVSS score of 9.8, underscoring the severity of the threat. This flaw, which has been patched in the latest version of the plugin, allows unauthenticated attackers to gain administrator privileges, potentially leading to complete site takeovers.

CVE-2024-28000 is a critical privilege escalation vulnerability discovered in the LiteSpeed Cache plugin, a popular WordPress caching tool with over five million active installations. The vulnerability stems from a flaw in the plugin’s user simulation feature, which uses a weak security hash to verify user identities. The hash is generated using a non-cryptographically secure random number, derived from the microsecond portion of the current time, making it trivially guessable.

This vulnerability allows attackers to spoof their user ID and register as an administrator, giving them full control over the affected WordPress site. With administrative access, attackers can upload malicious plugins, modify site content, steal data, and further compromise the site’s security.

The vulnerability is particularly dangerous due to its ease of exploitation. Attackers can manipulate the user simulation feature to set their user ID to that of an administrator if they possess a valid hash. This hash can be obtained through brute force or by accessing debug logs that may inadvertently expose it. Once the attacker has the administrator privileges, they can create new admin-level accounts via the /wp-json/wp/v2/users REST API endpoint, effectively taking over the site.

The issue affects all versions of the LiteSpeed Cache plugin up to and including 6.3.0.1. The vulnerability has been addressed in version 6.4, released on August 13, 2024. Website administrators using the plugin are strongly urged to update to the latest version immediately to mitigate the risk of exploitation.

Wordfence, a leading WordPress security provider, reported blocking 30,369 attacks targeting CVE-2024-28000 within a single day, highlighting the urgent need for site owners to act. These attacks demonstrate the rapid adoption of the exploit by cybercriminals, who are leveraging the flaw to compromise vulnerable WordPress installations.

The attacks are currently concentrated on non-Windows-based WordPress sites, as the vulnerability relies on a PHP method called sys_getloadavg(), which is not implemented on Windows systems. This means that while Windows-based WordPress installations are immune to this specific exploit, all other installations are at significant risk.

To protect against CVE-2024-28000, WordPress site owners should:

Update the LiteSpeed Cache Plugin: Ensure that the plugin is updated to version 6.4 or later, where the vulnerability has been patched.
Review Debug Logs: Check and secure any debug logs that may contain sensitive information, including security hashes that could be used by attackers.
Monitor for Unusual Activity: Regularly monitor site logs for any signs of unauthorized access or account creation, particularly through the REST API.
Implement Additional Security Measures: Consider using additional security plugins or services, such as Wordfence, to provide real-time protection and block malicious activities.