The National Information Technology Development Agency (NITDA) has issued a critical security alert concerning a newly discovered vulnerability, CVE-2024-28000, affecting over 5 million websites globally.
This vulnerability impacts the LiteSpeed Cache plugin for WordPress, a popular tool used to optimize website performance, and could allow attackers to gain full control over affected websites.
According to NITDA, the vulnerability arises from a flaw in the plugin’s “role simulation” feature, which can be exploited by cybercriminals to gain administrative access to websites without the need for authentication.
Once an attacker takes control of a site, they could install malicious plugins, steal sensitive data, or redirect visitors to harmful websites.
This attack is made easier due to a combination of a weak hash function and the simplicity of the attack vector. Cyber attackers can exploit this flaw through brute-force guessing or by manipulating exposed debug logs to access administrative privileges.
Implications of the vulnerability
NITDA noted that with over 5 million websites using the LiteSpeed Cache plugin, the potential impact of this vulnerability is significant.
According to the agency, websites at risk could experience:
- Data theft: Attackers may steal user data, including sensitive customer information such as personal details or payment data.
- Website defacement: Cybercriminals could alter website content, install malicious code, or disrupt services.
- Redirection to malicious sites: Site visitors could be redirected to fraudulent websites, exposing them to phishing scams or malware downloads.
Given the scale of WordPress usage, this vulnerability could have a severe effect on businesses, leading to financial losses and reputational damage.
Preventive measures for website administrators
To mitigate the risk of exploitation, NITDA urges all WordPress website administrators using the LiteSpeed Cache plugin to take immediate action by updating the LiteSpeed Cache Plugin.
“Ensure that the plugin is updated to the latest version (6.4.1). To check for updates, log in to your WordPress dashboard, navigate to the “Plugins” section, and update LiteSpeed Cache if necessary,” NITDA stated.
- The agency also advised users to disable debugging on Live websites, noting that if left enabled on live sites, this feature could expose sensitive logs, making it easier for attackers to exploit vulnerabilities.
- It also advised web administrators to regularly audit plugin settings and configurations to minimize security risks.
“Website owners should frequently check for vulnerabilities and ensure their plugins are up to date,” the agency added.
What you should know
The LiteSpeed Cache plugin for WordPress is a tool that improves website performance and loading speed by caching website content and resources.
- It has, however, had several vulnerabilities, including Cross-site scripting (XSS) which was a vulnerability in version 3.6 of the plugin. This allowed attackers to execute code in a user’s browser, steal authentication credentials, and more.
- Versions up to 6.3.0.1 of the plugin were vulnerable to unauthenticated privilege escalation, which allowed attackers to set their user ID to an administrator’s, and then create a new administrator account.
- The only way to escape these vulnerabilities has always been for web administrators to always keep their plugins up to date.
