Hackers Exploit Litespeed Plugin Flaw To Create Rogue Admin Accounts

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

WordPress plugins make WordPress more useful, but most have flaws that hackers may try to exploit to get unauthorized entry or introduce malicious code.

The popularity and widespread use of common plugins make them an easier target for attackers.

Similarly, out-of-date or neglected plugins with unfixed vulnerabilities tend to offer vulnerable entry points that even a less skilled threat actor could take.


Free Webinar : Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise:

Key Takeaways:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Start protecting your APIs from hackers

Hackers can do many things, such as distribute malware, carry out website defacements, or manipulate plugins to use compromised sites for future attacks.

Recently, cybersecurity analysts at WPScan discovered that hackers have been actively exploiting the Litespeed plugin flaw to create rogue admin accounts.

Hackers Exploit Litespeed Plugin Flaw

If you’ve discovered the ‘wpsupp-user’ admin user on your site, it indicates this latest malware campaign has impacted your website. 

Critical WordPress file (Source – WPScan)

Malicious code is injected into critical WordPress files or the database by exploiting vulnerabilities in outdated LiteSpeed Cache versions.

Vulnerable version of LiteSpeed Cache (Source – WPScan)

Here below is the decoded version:-

Decoded version (Source – WPScan)

To identify the malicious URLs and IPs make sure to lookout for malicious URLs like “https[:]//dns.startservicefounds.com/service/f.php,” “https[:]//api.startservicefounds.com,” “https[:]//cache.cloudswiftcdn.com” and the IP “” associated with this malware campaign. 

The decoded malicious JavaScript often creates rogue admin users such as ‘wpsupp-user’ on the sites that were compromised.

Risks are posed by injecting a malicious script into vulnerable LiteSpeed plugin versions (https[:]//wpscan.com/vulnerability/dd9054cc-1259-427d-a4ad-1875b7b2b3b4) exploited by attackers.

WPScan’s WAF logs showed that on April 27 and 2, there were some unusual spikes in access to this URL, which may suggest vulnerability scanning from IPs (1,232,810 requests) and (70,472 requests), and targeting of weak sites as well as those that are likely susceptible to cyber attacks.


Here below we have mentioned all the recommendations:-

  • Make sure to audit plugins, update them, and remove any suspicious plugin directories.
  • Identify and remove rogue admin users like “wpsupp-user” and “wp-configuser.”

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide