Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

LiteSpeed Cache WordPress plugin actively exploited in the wild

Threat actors are exploiting a high-severity vulnerability in the LiteSpeed Cache plugin for WordPress to take over web sites. WPScan researchers reported that threat actors are exploiting a high-severity vulnerability in LiteSpeed Cache plugin for WordPress. LiteSpeed Cache for WordPress (LSCWP) is an all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection […]

ShapedPlugin plugin

Threat actors are exploiting a high-severity vulnerability in the LiteSpeed Cache plugin for WordPress to take over web sites.

WPScan researchers reported that threat actors are exploiting a high-severity vulnerability in LiteSpeed Cache plugin for WordPress.

LiteSpeed Cache for WordPress (LSCWP) is an all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection of optimization features. The plugin has over 5 million active installations.

The vulnerability, tracked as CVE-2023-40000 CVSS score: 8.3, is an Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) issue in LiteSpeed Technologies LiteSpeed Cache that allows Stored XSS.

Attackers exploited the issue to create a rogue admin account, named wpsupp‑user and wp‑configuser, on vulnerable websites.

Upon creating admin accounts, threat actors can gain full control over the website.

Patchstack discovered the stored cross-site scripting (XSS) vulnerability in February 2024.

An unauthenticated user can trigger the issue to elevate privileges by using specially crafted HTTP requests.

WPScan reported that threat actors may inject a malicious script into vulnerable versions of the LiteSpeed plugin. The researchers observed a surge in access to a malicious URL on April 2nd and on April 27.

“The most common IP addresses that were probably scanning for vulnerable sites were 94.102.51.144, with 1,232,810 requests, and 31.43.191.220 with 70,472 requests.” reads WPScan. “The most common IP addresses that were probably scanning for vulnerable sites were 94.102.51.144, with 1,232,810 requests, and 31.43.191.220 with 70,472 requests.”

The vulnerability was fixed in October 2023 with the release of version 5.7.0.1.

Researchers provided indicators of compromise for these attacks, including malicious URLs involved in the campaign: https[:]//dns[.]startservicefounds.com/service/f[.]php, https[:]//api[.]startservicefounds[.]com, and https[:]//cache[.]cloudswiftcdn[.]com. The researchers also recommends to Watch out for IPs associated with the malware, such as 45.150.67.235.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, UK Ministry of Defense)