WordPress Sites Under Widespread Attack – LiteSpeed Cache Plugin Exploit Puts Millions at Risk

Hackers are actively exploiting a vulnerability in the LiteSpeed Cache Plugin for WordPress, a tool currently installed on over 5 million websites worldwide. The vulnerability, known as CVE-2023-40000, allows attackers to create administrative accounts, posing severe security risks for countless WordPress sites.

Background and Discovery

LiteSpeed Cache for WordPress (LSCWP) is renowned for its comprehensive site acceleration features, including an exclusive server-level cache and a suite of optimization functionalities. Despite its popularity and utility, the plugin became the target of a significant security breach when researchers identified a high-severity Cross-Site Scripting (XSS) issue in versions before 5.7.0.1. This vulnerability received a criticality score of 8.3/10 due to its potential for serious impact.

The flaw was disclosed by Rafie Muhammad of PatchStack on October 17, 2023. It involves an unauthenticated site-wide stored XSS, which can be exploited by attackers to perform a range of malicious activities—from stealing sensitive information to escalating privileges on the WordPress site via a single HTTP request.

The Exploit in Action

The vulnerability arises from inadequate input sanitization and output escaping in the code that processes user inputs, coupled with improper access control on one of the REST API endpoints provided by the plugin. Since its disclosure, nearly 2 million attacks attempting to exploit this flaw have been recorded by WPScan, with the majority occurring on April 2nd.

WPScan has issued an alert that if administrators detect a new admin user named “wpsupp-user” on their websites, it is a clear sign of this vulnerability being exploited.

Signs of Infection and Remediation Steps

WPScan has outlined several steps and indicators to help WordPress site administrators identify and clean up infections:

• Contamination Signs: Check for unusual admin users like “wpsupp-user” and “wp-configuser”, and search the database for suspicious strings such as “eval(atob(Strings.fromCharCode”, particularly in the option litespeed.admin_display.messages.
• Identifying Malicious URLs and IPs: Be wary of URLs like https[:]//dns[.]startservicefounds.com/service/f[.]php , https[:]//api[.]startservicefounds[.]com, https[:]//cache[.]cloudswiftcdn[.]com and IPs such as 45.150.67.235 which are linked to the attackers.
• Cleanup Procedures: Administrators are advised to review installed plugins, apply updates, and delete folders associated with any suspicious plugins.

Urgent Call to Action

To mitigate the risk and safeguard WordPress sites, administrators must update the LiteSpeed Cache plugin to version 5.7.0.1 or later immediately. Given the scale of this threat and the popularity of the affected plugin, rapid action is essential to prevent further compromises and ensure the security of both site operators and their users.