Watch out — hackers can exploit this plugin to gain full control of your WordPress site

 Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS).
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS).

An older version of LiteSpeed Cache, a popular plugin for the WordPress website builder, is vulnerable to a high-severity flaw that hackers have been increasingly exploiting.

The flaw is described as an unauthenticated cross-site scripting vulnerability, and tracked as CVE-2023-40000. It carries a severity score of 8.8.

By adding malicious JavaScript code directly into WordPress files through the plugin, the attackers are able to create new administrator accounts, essentially completely taking over the website. Admin accounts can be used to modify the site’s content, add or remove plugins, or change different settings. Victims can be redirected to malicious websites, served malicious advertising, or have their sensitive user data taken.

Mitigations and fixes

The flaw was uncovered by WPScan, a cybersecurity project serving as an enterprise vulnerability database for WordPress. Its researchers observed increased activity from different hacking groups, as they scan the internet for compromised WordPress sites. These are all running LiteSpeed Cache version 5.7.0.1 or older. The current version is 6.2.0.1 and is considered immune to this flaw.

One threat actor made more than a million probing requests in April 2024 alone, it was said.

Allegedly, LiteSpeed Cache has more than five million active users, of which roughly two million (1,835,000) are using the outdated, vulnerable variant.

LiteSpeed Cache is a plugin promising faster page load times, better user experience, and improved Google Search Results Page positions.

Those fearing they might get targeted are advised to update their plugins to the latest version as soon as possible. Furthermore, they should uninstall all plugins and themes they are not actively using, and delete all suspicious files and folders.

Those suspecting they might have been targeted already, should look for suspicious strings in the database: "Search in [the] database for suspicious strings like 'eval(atob(Strings.fromCharCode,'" WPScan said. "Specifically in the option litespeed.admin_display.messages."

Via BleepingComputer

More from TechRadar Pro