Cybersecurity researchers have disclosed a essential safety flaw within the LiteSpeed Cache plugin for WordPress that would allow unauthenticated customers to achieve administrator privileges.
“The plugin suffers from an unauthenticated privilege escalation vulnerability which permits any unauthenticated customer to achieve Administrator point get admission to and then malicious plugins may well be uploaded and put in,” Patchstack’s Rafie Muhammad stated in a Wednesday document.
The vulnerability, tracked as CVE-2024-28000 (CVSS ranking: 9.8), has been patched in model 6.4 of the plugin launched on August 13, 2024. It affects all variations of the plugin, together with and prior to six.3.0.1.
LiteSpeed Cache is likely one of the most generally used caching plugins in WordPress with over 5 million energetic installations.
In a nutshell, CVE-2024-28000 makes it conceivable for an unauthenticated attacker to spoof their person ID and sign in as an administrative-level person, successfully granting them privileges to take over a inclined WordPress website.
The vulnerability is rooted in a person simulation function within the plugin that makes use of a vulnerable safety hash that suffers from the usage of a trivially guessable random quantity because the seed.
Particularly, there are simplest 1,000,000 conceivable values for the protection hash because of the truth that the random quantity generator is derived from the microsecond portion of the present time. What is extra, the random quantity generator isn’t cryptographically safe and the generated hash is neither salted nor tied to a selected request or a person.
“That is because of the plugin no longer correctly limiting the function simulation capability permitting a person to set their present ID to that of an administrator, if they have got get admission to to a sound hash which will also be discovered within the debug logs or via brute pressure,” Wordfence stated in its personal alert.
“This makes it conceivable for unauthenticated attackers to spoof their person ID to that of an administrator, after which create a brand new person account with the administrator function using the /wp-json/wp/v2/customers REST API endpoint.”
It’s a must to observe that the vulnerability can’t be exploited on Home windows-based WordPress installations because of the hash technology serve as’s reliance on a PHP approach known as sys_getloadavg() that is not carried out on Home windows.
“This vulnerability highlights the essential significance of making sure the energy and unpredictability of values which might be used as safety hashes or nonces,” Muhammad stated.
With a in the past disclosed flaw in LiteSpeed Cache (CVE-2023-40000, CVSS ranking: 8.3) exploited via malicious actors, it is crucial that customers transfer temporarily to replace their cases to the newest model.