Introduction
In today’s digital landscape, WordPress powers over 40% of websites worldwide, making it a prime target for cybercriminals. With its vast ecosystem of plugins, themes, and customizations, WordPress offers incredible flexibility but also presents unique security challenges.
A single vulnerability—whether in the core system, a popular plugin, or a widely used theme—can expose your site to significant risks, including data breaches, defacement, and loss of customer trust.
This is where virtual patches (vPatches) comes into play: a vPatch is a customized firewall rule acting as a virtual shield, quickly addressing security flaws before they can be exploited by attackers. Unlike traditional security measures that rely on waiting for official updates, Patchstack’s vPatches provide immediate protection, effectively closing the gap between the discovery of a vulnerability and the availability of a permanent fix.
Recent exploited vulnerabilities and how our vPatches blocked them
Last month alone, we designed and deployed more than 200 new virtual patches to protect our clients from a variety of vulnerabilities, ensuring swift defences against emerging threats, all of that without having to wait for an official patch.
While we’re continually adding more vPatches to cover new vulnerabilities, it’s interesting to note that the most critical ones are still being exploited, even though they were made public several months ago.
Here are some of the most interesting ones:
Litespeed Cache plugin
Privilege Escalation Vulnerability
LiteSpeed Cache plugin <= 6.3.0.1 – Privilege Escalation (CVE-2024-28000)
- This Critical vulnerability affecting a popular plugin with 6M+ installations could allow unauthenticated attackers to take over the website by taking advantage of a weak hash verification taken from browser cookies when calling WordPress’s “users” REST API.
- Patchstack immediately released a vPatch blocking any requests to the “wp/v2/users” endpoint containing any “litespeed_hash” cookie.
More than 12.000 attempts to exploit vulnerable versions of the plugin have been blocked since vPatch deployment.
Litespeed Cache plugin
Unauthenticated Stored XSS Vulnerability
LiteSpeed Cache plugin <= 5.7 – Unauthenticated Site Wide Stored XSS (CVE-2023-40000)
Another High vulnerability from the LiteSpeed cache plugin, discovered earlier but still being exploited as of today.
- In vulnerable versions, the plugin’s “update_cdn_status” and “_process_cdn_status” functions were prone to unauthenticated stored XSS by saving raw values from certain requests. This could allow unauthenticated attackers to have arbitrary javascript code executed in an administrator’s browser context, ultimately leading to the website’s potential takeover.
- Patchstack’s clients were automatically protected from this vulnerability with a virtual patch blocking any request to the “litespeed/v1/cdn_status” endpoint containing non-standard characters in the “_msg” and “nameservers” parameters.
This vulnerability is still widely exploited, with over 150,000 attempts blocked in the last 6 months.
Backup and Staging plugin
Authentication Bypass Vulnerability
Backup and Staging by WP Time Capsule plugin <= 1.22.20 – Authentication Bypass and Privilege Escalation (CVE-2024-38770)
- This plugin with over 20K+ installations suffered from a Critical flaw that allowed an unauthenticated user to log in as an administrator if the plugin’s connection to the WpTimecapsule website has been configured. A loose “!=” comparison check (instead of “!==”) was used to verify the authorized API key, therefore it could be possible to bypass it by using type juggling.
- Patchstack’s vPatch was deployed on our affected clients’ websites before an official patch was available, protecting them from any exploitation attempts by blocking any request containing the vulnerable “AUTO_UPDATE_CHECK” type along with an authorization parameter.
More than 9.500 attempts to exploit vulnerable versions of the plugin have been blocked since vPatch deployment.
Rehub theme
Unauthenticated Local File Inclusion Vulnerability
Rehub theme <= 19.6.1 – Unauthenticated Local File Inclusion (CVE-2024-31231)
- This theme with 35K+ installations included a vulnerable “ajax_action_re_filterpost” function, accessible by unauthenticated users, which was not properly limiting and sanitizing a user-provided variable, allowing attackers to perform a path traversal attack and include arbitrary local .php files, which could, in certain cases, have a critical impact such as being able to execute arbitrary code remotely (RCE).
- Patchstack immediately mitigated this vulnerability by issuing a vPatch that blocked any request calling the vulnerable “re_filterpost” action parameter and containing known local file inclusion patterns in the “template” parameter.
Key takeaways and conclusion
Proactive defense is essential for protecting your WordPress site from emerging threats. Relying solely on official patches can leave a window of vulnerability, but our vPatches provide immediate security as soon as a threat is detected, keeping our clients’ sites safe while waiting for official fixes.
By keeping your WordPress core, themes, and plugins up to date and using real-time protection solutions like Patchstack, you can drastically reduce the risk of compromise.
Be sure to follow our updates for the latest vulnerabilities and solutions to keep your site secure moving forward.
Help us make the Internet a safer place
Making the WordPress ecosystem more secure is a team effort, and we believe that plugin developers and security researchers should work together.
- If you’re a plugin developer, join our mVDP program that makes it easier to report, manage and address vulnerabilities in your software.
- If you’re a security researcher, join Patchstack Alliance to report vulnerabilities & earn rewards.
