LiteSpeed Cache and Email Subscribers vulnerability is used by hackers to exploit WordPress.
In an effort to establish administrator accounts and take over WordPress websites, hackers have been targeting sites that utilize an out-of-date version of the LiteSpeed Cache plugin.
LiteSpeed Cache (LS Cache) is advertised as a caching plugin used in over five million WordPress sites that helps speed up page loads, improve visitor experience, and boost Google Search ranking.
Automattic’s security team, WPScan, observed in April increased activity from threat actors scanning for and compromising WordPress sites with versions of the plugin older than 5.7.0.1, which are vulnerable to a high-severity (8.8) unauthenticated cross-site scripting flaw tracked as CVE-2023-40000.
When looking for vulnerable sites, more than 1.2 million probing requests came from one IP address, 94[.]102[.]51[.]144.
Malicious JavaScript code is reportedly injected into crucial WordPress files or the database in these assaults, according to WPScan, generating administrator users with the names “wpsupp‑user” or “wp‑configuser.”
Infection is also indicated by the presence of the “eval(atob(Strings.fromCharCode” string in the database’s “litespeed.admin_display.messages” option
While many LiteSpeed Cache customers have upgraded to more recent versions that are not affected by CVE-2023-40000, a considerable number (up to 1,835,000) continue to use the vulnerable release.
Creating admin accounts on WordPress sites provides attackers complete control over the site, including the ability to modify content, install plugins, change important settings, redirect traffic to hazardous sites, distribute malware, and steal user data.
At the start of the week, Wallarm reported on another campaign aimed at creating administrator accounts using the WordPress plugin “Email Subscribers.”
The hackers leverage CVE-2024-2876, a critical SQL injection vulnerability with a severity score of 9.8/10 that affects plugin versions 5.7.14 and older.
Although “Email Subscribers” is less popular than LiteSpeed Cache, with only 90,000 active installations, the recorded attacks demonstrate hackers’ willingness to take advantage of any chance.
WordPress site administrators should update plugins to the current version, delete unnecessary components, and watch for new admin accounts being created.
A complete site cleanup is required in the event of a verified breach.
The procedure includes eliminating all rogue accounts, resetting passwords for all current accounts, and restoring the database and site files from clean backups.