Litespeed cache vulnerability: wp-cleansong

Table of contents
WordPress slow?
We'll sort it out for you!
Table of contents

The new Security gap in Plugin Litespeed cachehas ensured that WordPress websites with Malware were infested. You can find out more about the infestation in this article.

Security gap

Plugin: litespeed-cache (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)

Affected version: 5.7

Patched version: 5.7.0.1

More information is also available at wp-content/plugins/litespeed-cache/readme.txt to see.

Symptoms

  • Creation of admin users
  • Redirects generated by js that are hooked into wp_head via the clean_header() function
  • infected core files such as wp-blog-header.php

Execution

Attackers can use the WordPress plugin to insert arbitrary web scripts into pages that are executed as soon as an administrator logs into their WordPress dashboard for the first time. The plugin installs itself on the same day and at the same time as the login.

The whole thing can be traced in the access.log file.


php use a base64 url =base64_decode("aHR0cHM6Ly9kbnMuc3RhcnRzZXJ2aWNlZm91bmRzLmNvbS9zZXJ2aWNlL2YucGhw"); point to hxxps://dns[.]startservi**founds[.]com/service/f.php (url on the blacklist)

Sources

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/litespeed-cache/litespeed-cache-57-reflected-cross-site-scripting-via-nameservers-and-msg

https://www.reddit.com/r/Wordpress/comments/1balppf/wpcleansong (User: gemedj89)

https://www.risorsainformatica.com/rimozione-malware-sito-wordpress/

Notes

First discovered on February 27, 2024

Prevention

  • Update to the latest version of the Litespeed cache plugin
  • HTTP(S) monitoring for /plugins/wp-cleansong/plane.php
  • Block with htaccess the requests to song and song1

RewriteEngine On
RewriteCond %{QUERY_STRING} song1 [NC,OR]
RewriteCond %{QUERY_STRING} song2 [NC]
RewriteRule ^ - [F]
  • You can also plane.php block

Malware removal

If you have problems with malware cleanup, as a WPspace customer you can use our malware removal service. Our team will scan your WordPress installation for malware and clean it up in the best possible way.

If you would like to take advantage of our malware cleanup service, you can simply send us a message via the support chat on wp-space.com write. This incurs one-off costs of € 250 plus VAT.

What does malware cleanup involve?

  1. We carefully check and examine the suspicious files.
  2. We clean up your WordPress site and remove the malicious code as well as the newly created users and take further measures to protect your WordPress website.
  3. We will inform you as soon as the work has been completed.
  4. If you still have problems with it afterwards, you can simply contact us.
Picture of Axel Riethmüller
Axel Riethmüller
As a freelance web designer and employee of WPspace, I know exactly what is important when it comes to WordPress, web design and marketing.

Links marked with an * are affiliate links. If you buy a product via this link, WPspace receives a small commission. There are no additional costs or disadvantages for you! This has no influence on our opinion of individual products and services - we only recommend what we love ourselves.

Leave a Reply

Your email address will not be published. Required fields are marked *