Hackers exploit LiteSpeed Cache flaw to create WordPress admins

Hackers have been targeting WordPress sites with an outdated version of the LiteSpeed Cache plugin to create administrator users and gain control of the websites.

LiteSpeed Cache (LS Cache) is advertised as a caching plugin used in over five million WordPress sites that helps speed up page loads, improve visitor experience, and boost Google Search ranking.

Automattic’s security team, WPScan, observed in April increased activity from threat actors scanning for and compromising WordPress sites with versions of the plugin older than 5.7.0.1, which are vulnerable to a high-severity (8.8) unauthenticated cross-site scripting flaw tracked as CVE-2023-40000.

From one IP address, 94[.]102[.]51[.]144, there were  more than 1.2 million probing requests when scanning for vulnerable sites.

WPScan reports that the attacks employ malicious JavaScript code injected into critical WordPress files or the database, creating administrator users named ‘wpsupp‑user’ or ‘wp‑configuser.’

Another sign of infection is the presence of the “eval(atob(Strings.fromCharCode” string in the “litespeed.admin_display.messages” option in the database.

Malicious JS code creating rogue admin users
Malicious JS code creating rogue admin users
WPScan

A large part of LiteSpeed Cache users have migrated to more recent versions that are not impacted to CVE-2023-40000, but a significant number, up to 1,835,000, still run a vulnerable release.

Targeting Email Subscribers plugin

The ability to create admin accounts on WordPress sites gives attackers full control over the website, allowing them to modify content, install plugins, change critical settings, redirect traffic to unsafe sites, distribute malware, phishing, or steal available user data.

At the start of the week, Wallarm reported about another campaign targeting a WordPress plugin named “Email Subscribers” to create administrator accounts.

The hackers leverage CVE-2024-2876, a critical SQL injection vulnerability with a severity score of 9.8/10 that affects plugin versions 5.7.14 and older.

“In the instances of observed attacks, CVE-2024-27956 has been utilized to execute unauthorized queries on databases and establish new administrator accounts on vulnerable WordPress sites (for instance, those beginning with “xtw”).” – Wallarm

Though “Email Subscribers” is far less popular than LiteSpeed Cache, having a total of 90,000 of active installations, the observed attacks show that hackers will not shy away from any opportunity.

WordPress site admins are recommended to update plugins to the latest version, remove or disable components that are not needed, and monitor for new admin accounts being created.

A full site cleanup is mandatory in the event of a confirmed breach. The process requires deleting all rogue accounts, resetting passwords for all existing accounts, and restoring the database and site files from clean backups.