{"id":26011,"date":"2024-03-11T17:14:53","date_gmt":"2024-03-11T16:14:53","guid":{"rendered":"https:\/\/wp-space.de\/?p=26011"},"modified":"2025-07-15T08:09:44","modified_gmt":"2025-07-15T07:09:44","slug":"security-gap-litespeed-cache-wp-songclean","status":"publish","type":"post","link":"https:\/\/wp-space.de\/en\/security-gap-litespeed-cache-wp-songclean\/","title":{"rendered":"Litespeed cache vulnerability: wp-cleansong"},"content":{"rendered":"<img decoding=\"async\" src=\"http:\/\/vg04.met.vgwort.de\/na\/a1b6ccd19076476e9ba1f781be7851a9\" width=\"1\" height=\"1\" alt=\"\">\n\n\n\n<p>The new <strong>Security gap <\/strong>in Plugin <strong>Litespeed cache<\/strong> \"wp-cleansong\" ensures that <strong>WordPress websites<\/strong> with <strong>Malware <\/strong>were infested. You can find out more about the infestation in this article.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Security gap<\/h2>\n\n\n\n<p><strong>Plugin:<\/strong> litespeed-cache (CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:L\/I:L\/A:N)<\/p>\n\n\n\n<p><strong>Affected version:<\/strong> 5.7<\/p>\n\n\n\n<p><strong>Patched version<\/strong>: 5.7.0.1<\/p>\n\n\n\n<p>More information is also available at <strong>wp-content\/plugins\/litespeed-cache\/readme.txt<\/strong> to see.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Symptoms<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Creation of admin users<\/li>\n\n\n\n<li>Redirects generated by js that are hooked into wp_head via the clean_header() function<\/li>\n\n\n\n<li>infected core files such as wp-blog-header.php<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Execution<\/h2>\n\n\n\n<p>Attackers can use the WordPress plugin to insert arbitrary web scripts into pages that are executed as soon as an administrator logs into their WordPress dashboard for the first time. The plugin installs itself on the same day and at the same time as the login.<\/p>\n\n\n\n<p>The whole thing can be traced in the access.log file.<\/p>\n\n\n\n<pre class=\"wp-block-code has-background\" style=\"background-color:#eeeeee\"><code>\nphp use a base64 url =base64_decode(\"aHR0cHM6Ly9kbnMuc3RhcnRzZXJ2aWNlZm91bmRzLmNvbS9zZXJ2aWNlL2YucGhw\"); point to hxxps:\/\/dns[.]startservi**founds[.]com\/service\/f.php (url on the blacklist)\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Sources<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/litespeed-cache\/litespeed-cache-57-reflected-cross-site-scripting-via-nameservers-and-msg\" target=\"_blank\" rel=\"noopener\">https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/litespeed-cache\/litespeed-cache-57-reflected-cross-site-scripting-via-nameservers-and-msg<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.reddit.com\/r\/Wordpress\/comments\/1balppf\/wpcleansong\" target=\"_blank\" rel=\"noopener\">https:\/\/www.reddit.com\/r\/Wordpress\/comments\/1balppf\/wpcleansong<\/a> (User: gemedj89)<\/p>\n\n\n\n<p><a href=\"https:\/\/www.risorsainformatica.com\/rimozione-malware-sito-wordpress\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.risorsainformatica.com\/rimozione-malware-sito-wordpress\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Notes<\/h2>\n\n\n\n<p>First discovered on February 27, 2024<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Prevention<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Update <\/strong>to the <strong>latest version<\/strong> of the Litespeed cache plugin<\/li>\n\n\n\n<li><strong>HTTP(S) monitoring<\/strong> for \/plugins\/wp-cleansong\/plane.php<\/li>\n\n\n\n<li><strong>Block <\/strong>with <strong><a href=\"https:\/\/wp-space.de\/en\/htaccess-wordpress\/\">htaccess <\/a><\/strong>the requests to <strong>song <\/strong>and <strong>song1<\/strong><\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code has-background\" style=\"background-color:#eeeeee\"><code>\nRewriteEngine On\nRewriteCond %{QUERY_STRING} song1 [NC,OR]\nRewriteCond %{QUERY_STRING} song2 [NC]\nRewriteRule ^ - [F]\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You can also <strong>plane.php<\/strong> block<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Malware removal<\/h2>\n\n\n\n<p>If you have problems with malware cleanup, as a WPspace customer you can use our malware removal service. Our team will scan your WordPress installation for malware and clean it up in the best possible way. <\/p>\n\n\n\n<p>If you would like to take advantage of our malware cleanup service, you can simply send us a message via the support chat on <a href=\"https:\/\/wp-space.de\/en\/\">wp-space.com<\/a> write. This incurs one-off costs of \u20ac 250 plus VAT.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>What does malware cleanup involve?<\/strong><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>We carefully check and examine the suspicious files.<\/li>\n\n\n\n<li>We clean up your WordPress site and remove the malicious code as well as the newly created users and take further measures to protect your WordPress website.<\/li>\n\n\n\n<li>We will inform you as soon as the work has been completed.<\/li>\n\n\n\n<li>If you still have problems with it afterwards, you can simply contact us.<\/li>\n<\/ol>","protected":false},"excerpt":{"rendered":"<p>Die neue Sicherheitsl\u00fccke in Plugin Litespeed-Cache &#8222;wp-cleansong&#8220; sorgt daf\u00fcr, dass WordPress Websites mit Malware befallen wurden. In diesem Beitrag erf\u00e4hrst du weitere Informationen \u00fcber den Befall. Sicherheitsl\u00fccke Plugin: litespeed-cache (CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:L\/I:L\/A:N) Betroffene Version: 5.7 Gepatchte Version: 5.7.0.1 Mehr Informationen gibt es auch unter wp-content\/plugins\/litespeed-cache\/readme.txt nachzusehen. Symptome Ausf\u00fchrung Angreifer k\u00f6nnen durch das WordPress Plugin beliebige Webskripte in [&hellip;]<\/p>\n","protected":false},"author":11,"featured_media":26036,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[88],"tags":[],"class_list":["post-26011","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-wordpress-datenschutz-und-security"],"_links":{"self":[{"href":"https:\/\/wp-space.de\/en\/wp-json\/wp\/v2\/posts\/26011","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wp-space.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wp-space.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wp-space.de\/en\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/wp-space.de\/en\/wp-json\/wp\/v2\/comments?post=26011"}],"version-history":[{"count":2,"href":"https:\/\/wp-space.de\/en\/wp-json\/wp\/v2\/posts\/26011\/revisions"}],"predecessor-version":[{"id":49915,"href":"https:\/\/wp-space.de\/en\/wp-json\/wp\/v2\/posts\/26011\/revisions\/49915"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/wp-space.de\/en\/wp-json\/wp\/v2\/media\/26036"}],"wp:attachment":[{"href":"https:\/\/wp-space.de\/en\/wp-json\/wp\/v2\/media?parent=26011"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wp-space.de\/en\/wp-json\/wp\/v2\/categories?post=26011"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wp-space.de\/en\/wp-json\/wp\/v2\/tags?post=26011"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}