{"id":162876,"date":"2024-05-08T11:48:33","date_gmt":"2024-05-08T11:48:33","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=162876"},"modified":"2024-05-08T11:48:34","modified_gmt":"2024-05-08T11:48:34","slug":"litespeed-cache-wordpress-pluging-bug","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/162876\/hacking\/litespeed-cache-wordpress-pluging-bug.html","title":{"rendered":"LiteSpeed Cache WordPress plugin actively exploited in the wild"},"content":{"rendered":"
<\/div>\n

Threat actors are exploiting a high-severity vulnerability in the LiteSpeed Cache plugin for WordPress to take over web sites.<\/h2>\n\n\n\n

WPScan researchers reported that threat actors are exploiting a high-severity vulnerability in LiteSpeed Cache<\/a> plugin for WordPress. <\/p>\n\n\n\n

LiteSpeed Cache for WordPress (LSCWP) is an all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection of optimization features. The plugin has over 5 million active installations.<\/gwmw><\/p>\n\n\n\n

The vulnerability, tracked as CVE-2023-400-9056956<\/a> CVSS score: 8.3, is an Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) issue in LiteSpeed Technologies LiteSpeed Cache that allows Stored XSS.<\/p>\n\n\n\n

Attackers exploited the issue to create a rogue admin account, named wpsupp\u2011user and wp\u2011configuser, on vulnerable websites.<\/p>\n\n\n\n

Upon creating admin accounts, threat actors can gain full control over the website.<\/gwmw><\/p>\n\n\n\n

Patchstack discovered the stored cross-site scripting (XSS) vulnerability in February 2024. <\/p>\n\n\n\n

An unauthenticated user can trigger the issue to elevate privileges by using specially crafted HTTP requests.<\/p>\n\n\n\n

WPScan reported that threat actors may inject a malicious script into vulnerable versions of the\u00a0LiteSpeed plugin. The researchers observed a surge in access to a malicious URL on April 2nd and on April 27. <\/p>\n\n\n\n

“The most common IP addresses that were probably scanning for vulnerable sites were\u00a094.102.51.144, with 1,232,810 requests, and\u00a031.43.191.220\u00a0with 70,472\u00a0requests.” reads WPScan<\/a>.<\/em> “The most common IP addresses that were probably scanning for vulnerable sites were\u00a094.102.51.144<\/strong>, with 1,232,810 requests, and\u00a031.43.191.220\u00a0<\/strong>with 70,472\u00a0requests.”<\/em><\/p>\n\n\n\n

The vulnerability was fixed in October 2023 with the release of version 5.7.0.1. <\/p>\n\n\n\n

Researchers provided indicators of compromise for these attacks, including malicious URLs involved in the campaign: https[:]\/\/dns[.]startservicefounds.com\/service\/f[.]php, https[:]\/\/api[.]startservicefounds[.]com, and https[:]\/\/cache[.]cloudswiftcdn[.]com. The researchers also recommends to Watch out for IPs associated with the malware, such as\u00a0<\/strong>45.150.67.235.<\/gwmw><\/p>\n\n\n\n

Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n

Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n

(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking,\u00a0UK Ministry of Defense)<\/strong><\/gwmw><\/p>\n","protected":false},"excerpt":{"rendered":"

Threat actors are exploiting a high-severity vulnerability in the LiteSpeed Cache plugin for WordPress to take over web sites. WPScan researchers reported that threat actors are exploiting a high-severity vulnerability in LiteSpeed Cache plugin for WordPress. LiteSpeed Cache for WordPress (LSCWP) is an all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection […]<\/p>\n","protected":false},"author":1,"featured_media":36613,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3323,5,7],"tags":[88,4112,9508,9506,10918,15072,30,687,841,1533,1004],"class_list":["post-162876","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-breaking-news","category-hacking","category-malware","tag-cybercrime","tag-hacking","tag-hacking-news","tag-information-security-news","tag-it-information-security","tag-litespeed-cache","tag-malware-2","tag-pierluigi-paganini","tag-security-affairs","tag-security-news","tag-wordpress"],"yoast_head":"\n杭州江阴科强工业胶带有限公司