Cybersecurity researchers have disclosed a crucial safety flaw within the LiteSpeed Cache plugin for WordPress that would allow unauthenticated customers to realize administrator privileges.
“The plugin suffers from an unauthenticated privilege escalation vulnerability which permits any unauthenticated customer to realize Administrator stage entry after which malicious plugins could possibly be uploaded and put in,” Patchstack’s Rafie Muhammad stated in a Wednesday report.
The vulnerability, tracked as CVE-2024-28000 (CVSS rating: 9.8), has been patched in model 6.4 of the plugin launched on August 13, 2024. It impacts all variations of the plugin, together with and prior to six.3.0.1.
LiteSpeed Cache is without doubt one of the most generally used caching plugins in WordPress with over 5 million lively installations.
In a nutshell, CVE-2024-28000 makes it attainable for an unauthenticated attacker to spoof their person ID and register as an administrative-level person, successfully granting them privileges to take over a susceptible WordPress web site.
The vulnerability is rooted in a person simulation function within the plugin that makes use of a weak safety hash that suffers from using a trivially guessable random quantity because the seed.
Particularly, there are just one million attainable values for the safety hash because of the truth that the random quantity generator is derived from the microsecond portion of the present time. What’s extra, the random quantity generator just isn’t cryptographically safe and the generated hash is neither salted nor tied to a selected request or a person.
“That is because of the plugin not correctly limiting the function simulation performance permitting a person to set their present ID to that of an administrator, if they’ve entry to a sound hash which might be discovered within the debug logs or by brute power,” Wordfence stated in its personal alert.
“This makes it attainable for unauthenticated attackers to spoof their person ID to that of an administrator, after which create a brand new person account with the administrator function using the /wp-json/wp/v2/customers REST API endpoint.”
It is necessary to notice that the vulnerability can’t be exploited on Home windows-based WordPress installations because of the hash era perform’s reliance on a PHP methodology referred to as sys_getloadavg() that is not applied on Home windows.
“This vulnerability highlights the crucial significance of making certain the power and unpredictability of values which are used as safety hashes or nonces,” Muhammad stated.
With a beforehand disclosed flaw in LiteSpeed Cache (CVE-2023-40000, CVSS rating: 8.3) exploited by malicious actors, it is crucial that customers transfer rapidly to replace their situations to the newest model.