A flaw in the LiteSpeed ​​plugin threatens 5 million WordPress sites

LiteSpeed, a plugin WordPress very popular has proven vulnerable to an attack that could allow hackers to steal sensitive information.

A very sensitive flaw has been identified in the LiteSpeed ​​plugin of the WordPress host, which has endangered no less than 5 million websites. Uncovered by cybersecurity experts at Patchstack, the LiteSpeed ​​plugin flaw represents a significant risk to the security of WordPress sites, as it potentially allows unauthorized individuals to access sensitive information, such as that exploited by the France Travail cyberattack on March 13, 2024.

LiteSpeed, website acceleration plugin, is one of the most popular coaching plugins on WordPress. It offers a number of different optimization features for WordPress websites and server-level caching. Additionally, it is also compatible with other plugins, such as WooCommerce.

This revelation comes just months after WordPress released a critical code execution update intended to strengthen the security of its websites. The LiteSpeed ​​plugin flaw, identified as CVE 2023-40000, allows hackers to escalate privileges on a WordPress site and steal any information they want by sending a single HTTP request.

A “poorly cleaned” code at the origin of the flaw

The LiteSpeed ​​plugin vulnerability was identified by an unauthorized stored cross-site scripting (XSS) issue across the site. This same flaw had previously been spotted in the Zimbra Collaboration messaging software. The main security gap of this plugin stems from the lack of user input verification. “ This plugin suffers from an unauthenticated vulnerability stored sitewide [cross-site scripting] and could allow any unauthenticated user to steal sensitive information or, in this case, escalate privileges on the WordPress site by making a single HTTP request said Rafie Muhammad, researcher at Patchstack.

The output escaping mechanism has also been pointed out in this LiteSpeed ​​plugin flaw, particularly in the update_cdn_status function. This feature, intended to inform administrators, provides a gateway for cross-site scripting (XSS) injection. Any user with access to wp-admin simply triggers this vulnerability which can be easily exploited thanks to the default installation of the LiteSpeed ​​plugin.

Furthermore, a similar XSS flaw was previously reported by WordPress. Curiously, this flaw in the LiteSpeed ​​plugin, designated CVE-2023-4372, shared the same origin: a lack of sanitization of user inputs and escaping of outputs. Fortunately, patch version 5.7 has rectified this flaw in the LiteSpeed ​​plugin. It seems the lesson has not been learned.

A patch released, but WordPress remains vulnerable to attacks

The latest version of LiteSpeed ​​Cache, 6.1, was released on February 5. Since its discovery, developers have quickly responded by releasing a patch. This patch, available since October last year, is highly recommended to users. It is also recommended to update their plugins to at least version 5.7.0.1 to guard against possible new attacks.

WordPress, being the first website builder in the world, even more so with the recent help of artificial intelligence. It powers about half of the global Internet. And of course, this popularity makes it a prime target for hackers. They are constantly looking for ways to gain access to databases, where they can steal sensitive data or launch malicious advertising campaigns and phishing. Although WordPress is generally considered secure, its often poorly maintained themes and plugins are often the weak link.

Plugins, especially non-commercial ones, are often developed by small teams or individuals, and sometimes they are abandoned and poorly maintained. This situation makes it an ideal target for attacks.

Source : Security Boulevard, TechRadar, WordPress, PatchStack