Widespread Attack on WordPress Sites via LiteSpeed Cache Plugin Exploit (CVE-2023-40000)

Bar Refael

May 5, 2024

A critical vulnerability identified as CVE-2023-40000 in the LiteSpeed Cache Plugin for WordPress, affecting over 5 million websites globally, is being actively exploited by hackers. This exploit enables the creation of administrative accounts, thus posing severe security risks to a vast number of WordPress websites. Immediate action is required to mitigate this threat.

Vulnerability Details

  • Plugin: LiteSpeed Cache for WordPress (LSCWP)
  • Affected Versions: Prior to 5.7.0.1
  • Vulnerability Type: Cross-Site Scripting (XSS)
  • CVE-ID: CVE-2023-40000
  • Severity Rating: 8.3/10 (High Severity)
  • Discovery and Disclosure: Discovered and disclosed by Rafie Muhammad from PatchStack on October 17, 2023.
  • Vulnerability Description: The flaw arises from improper input sanitization and output escaping, alongside inadequate access control on specific REST API endpoints. This allows for unauthenticated site-wide stored XSS attacks.

Exploitation and Impact

  • Exploit Method: Attackers can inject malicious scripts to perform activities ranging from sensitive information theft to privilege escalation through a single HTTP request.
  • Current Exploitation: As of early May 2024, nearly 2 million attacks have been attempted, exploiting this vulnerability with peak activities recorded on April 2nd.
  • Sign of Compromise: Presence of new admin users, particularly with names like “wpsupp-user”, on WordPress sites.

Indicators of Compromise (IoCs)

  • Malicious URLs:
    • https[:]//dns[.]startservicefounds.com/service/f[.]php
    • https[:]//api[.]startservicefounds[.]com
    • https[:]//cache[.]cloudswiftcdn[.]com
  • Suspicious IP Addresses:
    • 45.150.67.235

Remediation Steps

  1. Immediate Actions:
    • Update the LiteSpeed Cache plugin to version 5.7.0.1 or later to mitigate the vulnerability.
    • Monitor for and remove any unauthorized admin accounts.
  2. Long-Term Security Measures:
    • Regularly update all WordPress plugins and core installations.
    • Implement rigorous input validation and output encoding practices.
    • Enhance monitoring of unusual activities, particularly related to user privilege escalation and modifications in site settings or content.

Recommendations for Site Administrators

  • Detection: Regularly scan for the aforementioned IoCs and unusual admin user account creations.
  • Cleanup: Follow structured cleanup procedures to remove any traces of infection from the site, including reviewing and deleting suspicious plugins and directories.
  • Security Enhancement: Employ additional security layers such as Web Application Firewalls (WAFs) and endpoint protection solutions tailored for web applications.

Stay Secure. Stay Informed.

OP Innovate Research Team.