Hi,
Over the last few days, left and right i saw admin users added among clients websites with full rights and usually ending with a .ru or .mail extension. Once i nailed down the source of the culprit it’s the litespeed cache plugin of wordpress, actively being exploited. The following logs match exactly the new admin user added through email notification:
[94.102.51.144](https://94.102.51.144) \- – \[07/Apr/2024:06:15:02 +0200\] “POST /wp-json/litespeed/v1/cdn\_status HTTP/1.1” 200 886 “-” “Mozilla/5.0 (X11; Linux x86\_64; rv:109.0) Gecko/20100101 Firefox/114.3” [94.102.51.144](https://94.102.51.144) \- – \[07/Apr/2024:06:27:06 +0200\] “POST /wp-json/litespeed/v1/cdn\_status HTTP/1.1” 200 881 “-” “Mozilla/5.0 (X11; Linux x86\_64; rv:109.0) Gecko/20100101 Firefox/114.3”For some reason, something can be injected, upon a folder is created named wp-cleansong and in there is a little script that either adds malware onsite or adds a wp admin user in your installation. In some scenarios, only attempts to execute php commands was performed, with no visual damage on site. One or two sites where actively infested with click/malvertising (redirects).
The source is Litespeed on WordPress version 5.6, and it’s recommended to update ASAP since it’s actively executed. Check for instance your USERS tab and click on ADMINS to be sure it’s only you or your team who’s having access.
I already reported this vulnerability to LS themself. Just warning the public.
[ad_2]