WordPress LiteSpeed Cache Plugin Exploited in Malware

 

Wordpress plugin "LiteSpeed Cache" being exploited in the wild.  A spike of attacks was seen in the month of April. The vulnerability is exploited in automated malware attacks.

The attacker exploits an unauthenticated cross-site scripting (XSS) issue that allows unauthorised users to create administrative accounts that can ultimately control and modify targeted websites.

According to Automattic reports, threat actors are injecting malicious JavaScript code into critical WordPress files or databases and creating administrative accounts called 'wpsupp‑user' or 'wp‑configuser'. An additional sign of infection involves the presence of the “eval(atob(Strings.fromCharCode string in the "litespeed.admin_display.messages" option in the database”.

The malware typically injects code into critical WordPress files, often manifesting as :

Or in the database, when the vulnerable version of LiteSpeed Cache is exploited :

decoded version: