Pierluigi Paganini May 08, 2024

Threat actors are exploiting a high-severity vulnerability in the LiteSpeed Cache plugin for WordPress to take over web sites.

WPScan researchers reported that threat actors are exploiting a high-severity vulnerability in LiteSpeed Cache plugin for WordPress.

LiteSpeed Cache for WordPress (LSCWP) is an all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection of optimization features. The plugin has over 5 million active installations.

The vulnerability, tracked as CVE-2023-40000 CVSS score: 8.3, is an Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) issue in LiteSpeed Technologies LiteSpeed Cache that allows Stored XSS.

Attackers exploited the issue to create a rogue admin account, named wpsupp‑user and wp‑configuser, on vulnerable websites.

Upon creating admin accounts, threat actors can gain full control over the website.

Patchstack discovered the stored cross-site scripting (XSS) vulnerability in February 2024.

An unauthenticated user can trigger the issue to elevate privileges by using specially crafted HTTP requests.

WPScan reported that threat actors may inject a malicious script into vulnerable versions of the LiteSpeed plugin. The researchers observed a surge in access to a malicious URL on April 2nd and on April 27.

“The most common IP addresses that were probably scanning for vulnerable sites were 94.102.51.144, with 1,232,810 requests, and 31.43.191.220 with 70,472 requests.” reads WPScan. “The most common IP addresses that were probably scanning for vulnerable sites were 94.102.51.144, with 1,232,810 requests, and 31.43.191.220 with 70,472 requests.”

The vulnerability was fixed in October 2023 with the release of version 5.7.0.1.

Researchers provided indicators of compromise for these attacks, including malicious URLs involved in the campaign: https[:]//dns[.]startservicefounds.com/service/f[.]php, https[:]//api[.]startservicefounds[.]com, and https[:]//cache[.]cloudswiftcdn[.]com. The researchers also recommends to Watch out for IPs associated with the malware, such as 45.150.67.235.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, UK Ministry of Defense)