As title states,
The information provided about a vulnerability on LS 5.6 WP plugin is "way more severe" then what's published, about just a XSS or cross scripting thing. The problem goes way deeper and it is possible to insert users into WP while having admin rights.
I saw 11 websites getting hacked in the last few days, all of them had one thing in common. Clients not updating their sites as they should, and a LS 5.6 plugin which was reporting that it needed to be updated. When a client reported me he was getting a new admin user signed up,
I was able to verify that the exploit comes from LS 5.6 WP plugin - and nothing else as it would match the times exactly in LOGS.
94.102.51.144 - - [07/Apr/2024:06:43:32 +0200] "POST /wp-json/litespeed/v1/cdn_status HTTP/1.1" 403 6923 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.3"
94.102.51.144 - - [07/Apr/2024:06:45:58 +0200] "POST /wp-json/litespeed/v1/cdn_status HTTP/1.1" 403 6923 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.3"
Above was able to insert 2 users in 2 different sites - by now ive updated all the websites and everything is OK now. But seriously issue out a forced update for the zillion other websites running with a outdated LS plugin. It's being exploited on the mass.
The information provided about a vulnerability on LS 5.6 WP plugin is "way more severe" then what's published, about just a XSS or cross scripting thing. The problem goes way deeper and it is possible to insert users into WP while having admin rights.
I saw 11 websites getting hacked in the last few days, all of them had one thing in common. Clients not updating their sites as they should, and a LS 5.6 plugin which was reporting that it needed to be updated. When a client reported me he was getting a new admin user signed up,
I was able to verify that the exploit comes from LS 5.6 WP plugin - and nothing else as it would match the times exactly in LOGS.
94.102.51.144 - - [07/Apr/2024:06:43:32 +0200] "POST /wp-json/litespeed/v1/cdn_status HTTP/1.1" 403 6923 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.3"
94.102.51.144 - - [07/Apr/2024:06:45:58 +0200] "POST /wp-json/litespeed/v1/cdn_status HTTP/1.1" 403 6923 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.3"
Above was able to insert 2 users in 2 different sites - by now ive updated all the websites and everything is OK now. But seriously issue out a forced update for the zillion other websites running with a outdated LS plugin. It's being exploited on the mass.