A critical vulnerability in the LiteSpeed Cache plugin has been identified, potentially exposing millions of WordPress sites to severe security risks.
This flaw, discovered by John Blackbourn through the Patchstack zero-day bug bounty program, allows unauthorized users to gain administrator-level access. It could lead to the installation of malicious plugins and the compromise of affected websites.
The vulnerability arises from the plugin’s weak security hash used in its user simulation feature. The hash is created through an insecure random number generator and stored without being salted or tied to a specific user request.
With only one million possible values, Patchstack warned the hash is relatively easy to guess, allowing attackers to iterate through all possibilities to discover the correct hash and simulate an administrator user.
“We were able to determine that a brute force attack that iterates all one million known possible values for the security hash and passes them in the litespeed_hash cookie – even running at a relatively low three requests per second – is able to gain access to the site as any given user ID within between a few hours and a week,” the Patchstack explained.
Additionally, the vulnerability can be exploited even if the plugin’s crawler feature is initially disabled. Attackers can trigger the generation of the weak security hash via an unprotected Ajax handler, making sites running the LiteSpeed Cache plugin potentially vulnerable, regardless of their specific settings.
“This vulnerability highlights the critical importance of ensuring the strength and unpredictability of values that are used as security hashes or nonces,” Patchstack added.
Recommended Actions For Users
After notification by Patchstack, the LiteSpeed team has released a patch for the vulnerability, enhancing hash complexity, introducing one-time-use hashes and implementing stricter validation procedures.
“We initially recommend using the hash_equals function for the hash value comparison process to avoid possible timing attacks,” Patchstack suggested. “We also recommend using a more secure random value generator such as the random_bytes function. This was not implemented due to the need for legacy PHP support.”
Users of the LiteSpeed Cache plugin are advised to update to version 6.4 immediately to mitigate this security risk.
Image credit: Primakov / Shutterstock.com