LiteSpeed Cache, a very popular plugin used to speed up many WordPress websites, has an inherent vulnerability that allows attackers to completely take over sites by gaining administrator-level access.
The plugin is used on over five million websites as an all-in-one site acceleration solution. It features a server-level cache and a collection of optimization features.
John Blackbourn, a security researcher and member of the Patchstack Alliance community, discovered that LiteSpeed Cache suffers from an unauthenticated privilege escalation flaw. Any visitor to the affected website could gain administrator-level access, which attackers could exploit to upload and install malicious plugins.
The flaw lies in the way the plugin protects one of its features, called user simulation. This feature is a crawler that pre-populates the caches for pages on a schedule. However, its security hash, which is supposed to protect the feature, was found to be generated by a weak random generation method.
The random number generator used to generate the hash is tied to the current time, but only in the microseconds portion. Therefore there are only one million possible values for the seed and corresponding hash values.
“The random number generator is not cryptographically secure, which means the “random” values that it generates are fully determinate if the seed is known,” Patchstack report reads.
The security hash is generated once. It is not salted with a secret, not connected to a particular user's request, and once generated, the value never changes.
A potential attacker could easily brute-force the hash by iterating through all possible values. The attack requires knowing the ID of an Administrator-level user. However, researchers noted that user ID 1 will succeed in many cases.
Once the valid hash is found, a malicious actor can use it to create a new administrator-level account.
Vulnerable LiteSpeed Cache versions include 6.3.0.1 and earlier. On August 13th, the LiteSpeed team released version 6.4 to patch the reported issues. For crawler role simulation, now the plugin generates a hash each time using the more robust method and setting a time-to-live of 120 seconds.
“If you’re a LiteSpeed user, please update the plugin to at least version 6.4,” the report authors urge.
For the discovery, Blackbourn was rewarded $14,400 in cash, the highest bounty ever for WordPress bug bounty hunting.
This is the second vulnerability affecting WordPress websites reported this week. More than 100,000 sites are also vulnerable to a flaw in the GiveWP donation and fundraising plugin, which was patched in version 3.14.2, released on August 7th.
Your email address will not be published. Required fields are markedmarked