WordPress websites have been targeted in recent attacks, resulting in the injection of malicious JavaScript through vulnerabilities in the LiteSpeed Cache plugin, as stated by Automattic’s security team, WPScan.
With the internet hosting over 1.89 billion websites as of 2024, a significant portion, around 835 million, rely on WordPress as their chosen Content Management System (CMS). This makes WordPress a prime target for cyber criminals looking to exploit weaknesses in the system.
According to WPScan’s blog post, threat actors are taking advantage of a stored cross-site scripting (XSS) vulnerability present in older versions of the LiteSpeed Cache plugin. This vulnerability, tracked as CVE-2023-40000 and rated at a severity level of 8.8, allows unauthenticated users to elevate their privileges through specially crafted HTTP requests. Patchstack disclosed this vulnerability in February 2024, affecting LiteSpeed Cache plugin versions older than 5.7.0.1.
The vulnerability stems from unauthenticated stored XSS within outdated versions of the plugin. Unauthenticated XSS means that attackers do not require login credentials to inject malicious code into the system. On the other hand, Stored XSS involves the malicious code being stored in the website’s database, affecting any user who visits the compromised page. Attackers have been infiltrating WordPress files and databases with malicious JavaScript, creating administrator accounts named ‘wpsupp-user’ or ‘wp-configuser’ by exploiting this vulnerability.
Malicious URLs and IPs associated with these attacks include domains like startservicefounds.com/service/f.php, apistartservicefounds.com, cachecloudswiftcdn.com, and an IP tracked as 45.150.67.235.
LiteSpeed Cache is a widely used plugin among over five million WordPress websites due to its abilities in boosting Google Search rankings. Although the vulnerability was addressed in version 5.7.0.1 back in October 2023, many users have still not updated to non-vulnerable versions. Despite the availability of the latest version, 6.2.0.1 released on April 25, 2024, a significant number of users, approximately 1,835,000, continue to operate vulnerable releases, leaving them susceptible to infection.
The ability for threat actors to create admin accounts on WordPress sites poses severe risks, allowing unauthorized individuals to gain full access and carry out malicious actions such as injecting malware or installing harmful plugins. The security breach comes soon after Sucuri uncovered a redirect scam campaign, known as Mal.Metrica, which employs fake CAPTCHA prompts to redirect users to fraudulent websites.
To safeguard WordPress sites from such attacks, users are advised to update their LiteSpeed Cache plugin to the latest version, conduct malware scans using reputable WordPress security tools, and change all login credentials. WPScan recommends searching for suspicious strings in the litespeed.admin_display.messages option or the presence of ‘wpsupp-user’ on compromised websites.