A newly discovered vulnerability in the popular WordPress plugin, LiteSpeed Cache, has resulted in the highest bounty ever awarded in the history of WordPress bug bounty hunting. Security researcher John Blackbourn, a member of the Patchstack Alliance community, originally reported the vulnerability to the Patchstack Zero Day bug bounty programme. In recognition of the discovery, Patchstack awarded Blackbourn $14,400 USD.
Table of Contents
LiteSpeed Cache Plugin Vulnerability
The vulnerability, classified as an unauthenticated privilege escalation, affected over five million websites using the LiteSpeed Cache plugin. This critical flaw enabled any user, even without login credentials, to potentially gain administrator-level access. Exploiting this vulnerability could allow malicious actors to upload and install harmful plugins, thereby compromising the entire website.
At the core of the issue was a user simulation feature within the plugin. This feature, designed for the plugin's crawler function, used a weak security hash based on known values, making it susceptible to attacks. The vulnerability, assigned the identifier CVE-2024-28000, was already fixed in version 6.4 of the LiteSpeed Cache plugin.
The weakness in the security hash generation stemmed from several factors:
- The random number generator used to create the hash relied on the microsecond part of the current time, limiting the possible seed values to just one million.
- The random number generator lacked cryptographic security, making its output predictable if the seed was known.
- The generated security hash was stored in the database without any salting or connection to a specific user or request, making it static and universally applicable.
These factors combined meant an attacker could theoretically cycle through all one million possible hash values to find the correct one, granting them unauthorized access.
Although the vulnerability was initially thought to only affect sites with the crawler feature enabled, a further weakness was identified. An unprotected Ajax handler allowed the generation and storage of the security hash even when the crawler feature was disabled, making all websites using the plugin potentially vulnerable.
Patchstack researchers confirmed the exploitability of the vulnerability, demonstrating that a brute-force attack could successfully grant access to a website as any user, including administrator accounts, within a timeframe ranging from a few hours to a week.
The LiteSpeed team has since addressed the vulnerability in version 6.4 of the plugin, implementing several security enhancements to prevent future exploitation.
Update LiteSpeed Cache Plugin
If you're currently using LiteSpeed Cache plugin in your websites, you MUST do one of the following actions to protect your sites from this vulnerability.
Immediate Action:
- Update LiteSpeed Cache Plugin: Immediately update the LiteSpeed Cache plugin to version 6.4 or higher. This version includes the necessary patch to address the vulnerability.
Additional Recommendations:
- Review User Accounts: Audit the site's user list and delete any suspicious administrator accounts.
- Implement Temporary Mitigations: If immediate update is not feasible, temporary measures, like modifying the
router.cls.php
file or implementingmod_sec
rules as outlined in the LiteSpeed Blog post, can be implemented.
Conclusion
This vulnerability poses a significant risk to websites using the LiteSpeed Cache plugin. Immediate action is crucial to protect against potential attacks. By updating to the latest version and implementing the recommended security measures, website owners can mitigate the risk and ensure the security of their sites.
Resource: