Some links on this page are affiliate links. We may earn a commission when you click through and make a purchase, at no additional cost to you.
WordPress sites running vulnerable versions of the LiteSpeed Cache plugin have recently faced a sharp increase in JavaScript malware infections. This wave of attacks targets versions prior to 5.7.0.1, exploiting a critical vulnerability to inject malicious code, create unauthorized admin users, and compromise site security.
Key Takeaways
- The LiteSpeed Cache plugin versions before 5.7.0.1 contain a critical vulnerability enabling remote JavaScript malware injection.
- Malware often creates admin users named
wpsupp-userorwp-configuser, granting attackers full site control. - Malicious code is injected into core WordPress files and the database, notably in
litespeed.admin_display.messages. - Attackers scan aggressively; one IP made over 1.2 million requests seeking vulnerable sites in April 2024.
- Immediate plugin updates and database audits are essential to stop ongoing infections.
Understanding the LiteSpeed Cache Vulnerability and Its Impact
The LiteSpeed Cache plugin is widely used in WordPress for performance optimization, particularly on hosting environments powered by LiteSpeed web servers. Its integration with server-level caching makes it a common choice for agencies and site operators aiming to improve load times and reduce server resource usage.
Unfortunately, versions of LiteSpeed Cache older than 5.7.0.1 expose a security flaw that allows attackers to inject obfuscated JavaScript malware remotely. This injected malware often creates backdoor admin accounts (notably wpsupp-user), giving attackers persistent access. Such accounts can bypass normal authentication, making cleanup difficult without thorough investigation.
From experience managing WordPress sites with heavy plugin ecosystems, vulnerabilities in popular plugins like LiteSpeed Cache pose outsized risks. Sites running more than 30 active plugins are especially vulnerable because plugin conflicts and update delays increase attack surface and detection difficulty.
How the Malware Operates Within WordPress
The malware payload typically integrates into both the WordPress filesystem and database. Critical PHP files—like wp-config.php or core loader files—may contain injected code snippets that execute obfuscated JavaScript. In the database, attackers focus on options like litespeed.admin_display.messages, inserting encoded JavaScript strings such as eval(atob(Strings.fromCharCode(...))).
This combination allows the malware to persist even after surface-level file cleanups. The injected scripts contact remote malicious URLs, including domains like dns.startservicefounds.com and cache.cloudswiftcdn.com, to load further malicious payloads or exfiltrate data.
In practice, this behavior often causes intermittent site slowdowns and unexpected admin user creations. Agencies maintaining WooCommerce or high-traffic sites have reported seeing these symptoms, particularly when running LiteSpeed Cache on shared or poorly segmented hosting environments.
Attack Patterns and Detection
Analysis of web application firewall (WAF) logs reveals two significant spikes in exploit activity: April 2nd and April 27th, 2024. The most aggressive scanning IPs include 94.102.51.144 with over 1.2 million requests and 31.43.191.220 with more than 70,000 requests in a few weeks.
These scans attempt to identify WordPress sites running vulnerable LiteSpeed Cache versions by probing the plugin’s endpoints and injecting test payloads. Once a vulnerable site is found, the malware injects scripts, creates admin users with names like wpsupp-user, and establishes persistence.
WordPress site operators should actively monitor for suspicious admin accounts, especially those named similarly to wpsupp-user or wp-configuser. Checking the database for suspicious encoded strings and scanning files for unauthorized modifications are crucial steps in detection.
Cleanup and Mitigation Strategies
Cleaning infected sites requires a multi-pronged approach. First, update LiteSpeed Cache to version 5.7.0.1 or later, where this vulnerability is patched. Next, audit all admin users and revoke any suspicious accounts immediately.
From hands-on experience, simply deleting malicious files is insufficient. The database often retains injected code, requiring manual SQL queries or security plugins capable of scanning option values deeply. Specifically, searching for patterns like eval(atob() in the litespeed.admin_display.messages option can reveal hidden payloads.
Finally, tighten overall WordPress security by enforcing strong passwords, limiting admin user creation, and deploying WAF rules blocking known malicious IPs such as 45.150.67.235. Many managed WordPress hosts already integrate such protections, but self-hosted environments must implement these controls manually.
What This Means for WordPress Users
We recommend that every WordPress developer, agency, and site operator immediately verify their LiteSpeed Cache plugin version. If it is below 5.7.0.1, update without delay to close this exploit window. Delaying updates risks site compromise, data breaches, and loss of search ranking due to injected spam or malware.
This incident highlights a broader trend in the WordPress ecosystem where popular performance plugins, due to their deep integration with both WordPress and server layers, become prime targets for attackers. For agencies managing multiple client sites, automating plugin updates and scanning for unauthorized admin users can prevent widespread infections.
Sites hosted on shared or unmanaged environments are especially vulnerable to rapid malware propagation because they often lack proactive monitoring and firewall rules tailored to WordPress. Managed Kinsta-melbourne-sydney-wordpress-hosting-experts/">WordPress hosting providers should consider adding targeted detection rules for this malware strain and educate customers about the risks.
In the longer term, this attack underscores the importance of maintaining a minimal, well-audited plugin set and applying updates promptly. Plugins like LiteSpeed Cache are indispensable for performance but must be balanced against security risks inherent in third-party code.
Frequently Asked Questions
Which versions of LiteSpeed Cache are vulnerable to this JavaScript malware?
Versions prior to 5.7.0.1 of the LiteSpeed Cache plugin contain a critical remote code execution vulnerability exploited by attackers to inject JavaScript malware.
How can I detect if my WordPress site is infected?
Look for unauthorized admin users named wpsupp-user or wp-configuser, check core files for injected code, and search the database for encoded JavaScript strings like eval(atob(...)), especially in the litespeed.admin_display.messages option.
What are the immediate steps to clean an infected site?
Update the LiteSpeed Cache plugin to 5.7.0.1 or higher, remove suspicious admin users, clean injected code from files and database, and implement firewall rules blocking known malicious IP addresses.
Are managed WordPress hosts protected against this malware?
Many managed hosts deploy firewall rules and monitoring that can detect and block these attacks, but clients should still update plugins promptly and verify site integrity.
