Cybercriminals are actively exploiting a high-severity vulnerability in the widely-used LiteSpeed Cache plugin for WordPress to take over websites, according to researchers at WPScan. The vulnerability, tracked as CVE-2023-40000 with a CVSS score of 8.3, is an improper input neutralization flaw that allows stored cross-site scripting (XSS) attacks.
LiteSpeed Cache for WordPress (LSCWP) is an all-in-one site acceleration plugin with over 5 million active installations. It features server-level caching and various optimization capabilities. However, the recently disclosed vulnerability enables unauthenticated attackers to escalate privileges and create rogue admin accounts named “wpsupp‑user” and “wp‑configuser” on vulnerable sites.
Once the malicious actors gain administrative access, they have complete control over the compromised WordPress website. Patchstack originally discovered the stored XSS vulnerability in February 2024, which can be triggered through specially crafted HTTP requests.
Surge in Exploitation Attempts Detected
WPScan reported a significant spike in access attempts to a malicious URL on April 2nd and April 27th, likely indicating widespread exploitation efforts. The researchers identified two prominent IP addresses involved in scanning for vulnerable sites: 94.102.51.144 with 1,232,810 requests, and 31.43.191.220 with 70,472 requests.
The vulnerability was addressed by LiteSpeed Technologies in October 2023 with the release of version 5.7.0.1. However, unpatched sites remain at risk of compromise. WPScan has provided indicators of compromise (IoCs) for these attacks, including malicious URLs like https\[:\]//dns\[.\]startservicefounds.com/service/f\[.\]php, https\[:\]//api\[.\]startservicefounds\[.\]com, and https\[:\]//cache\[.\]cloudswiftcdn\[.\]com. Additionally, users should watch out for the IP address 45.150.67.235, which has been associated with the malware campaign.
Urgent Patching Recommended
WordPress site owners and administrators are strongly advised to update their LiteSpeed Cache plugin to the latest patched version as soon as possible to mitigate the risk of exploitation and potential website takeover.