Widespread Attack on WordPress Sites via LiteSpeed Cache Plugin Exploit (CVE-2023-40000)

Bar Refael

May 5, 2024

A critical vulnerability identified as CVE-2023-40000 in the LiteSpeed Cache Plugin for WordPress, affecting over 5 million websites globally, is being actively exploited by hackers. This exploit enables the creation of administrative accounts, thus posing severe security risks to a vast number of WordPress websites. Immediate action is required to mitigate this threat.

Vulnerability Details

  • Plugin: LiteSpeed Cache for WordPress (LSCWP)
  • Affected Versions: Prior to
  • Vulnerability Type: Cross-Site Scripting (XSS)
  • CVE-ID: CVE-2023-40000
  • Severity Rating: 8.3/10 (High Severity)
  • Discovery and Disclosure: Discovered and disclosed by Rafie Muhammad from PatchStack on October 17, 2023.
  • Vulnerability Description: The flaw arises from improper input sanitization and output escaping, alongside inadequate access control on specific REST API endpoints. This allows for unauthenticated site-wide stored XSS attacks.

Exploitation and Impact

  • Exploit Method: Attackers can inject malicious scripts to perform activities ranging from sensitive information theft to privilege escalation through a single HTTP request.
  • Current Exploitation: As of early May 2024, nearly 2 million attacks have been attempted, exploiting this vulnerability with peak activities recorded on April 2nd.
  • Sign of Compromise: Presence of new admin users, particularly with names like “wpsupp-user”, on WordPress sites.

Indicators of Compromise (IoCs)

  • Malicious URLs:
    • https[:]//dns[.]startservicefounds.com/service/f[.]php
    • https[:]//api[.]startservicefounds[.]com
    • https[:]//cache[.]cloudswiftcdn[.]com
  • Suspicious IP Addresses:

Remediation Steps

  1. Immediate Actions:
    • Update the LiteSpeed Cache plugin to version or later to mitigate the vulnerability.
    • Monitor for and remove any unauthorized admin accounts.
  2. Long-Term Security Measures:
    • Regularly update all WordPress plugins and core installations.
    • Implement rigorous input validation and output encoding practices.
    • Enhance monitoring of unusual activities, particularly related to user privilege escalation and modifications in site settings or content.

Recommendations for Site Administrators

  • Detection: Regularly scan for the aforementioned IoCs and unusual admin user account creations.
  • Cleanup: Follow structured cleanup procedures to remove any traces of infection from the site, including reviewing and deleting suspicious plugins and directories.
  • Security Enhancement: Employ additional security layers such as Web Application Firewalls (WAFs) and endpoint protection solutions tailored for web applications.

Stay Secure. Stay Informed.

OP Innovate Research Team.

Under Cyber Attack?

Fill out the form and we will contact you immediately.

Get OP Innovate CTI Alerts

Leave your email and get critical updates and alerts straight to your inbox