Critical vulnerability in LiteSpeed Cache WordPress plugin patched, update ASAP
Take action: If you are using LiteSpeed Cache on your WordPress, patch it ASAP. This is an easily exploitable flaw that's constantly exposed to the internet. Don't delay, you will be hacked.
Learn More
A critical security vulnerability is reported in the LiteSpeed Cache WordPress plugin. LiteSpeed Cache is a caching and optimization plugin for WordPress that is designed to accelerate website performance.
The vulnerability, tracked as CVE-2024-28000 (CVSS score 9.8) is an unauthenticated privilege escalation vulnerability found in the plugin’s user simulation feature. The issue stems from a weak hash check in LiteSpeed Cache versions up to and including 6.3.0.1. If exploited, attackers can gain administrator-level access, allowing them to hijack the website, modify settings, install malicious plugins, or steal data.
The vulnerability was initially reported by security researcher John Blackbourn through Patchstack’s bug bounty program. LiteSpeed released a patched version, 6.4, on August 13, 2024. Despite the patch being available, statistics show that only about 2.5 million users have updated to the fixed version, leaving more than half of the 5 million users still exposed.
Rafie Muhammad, a researcher from Patchstack, emphasized the ease of exploiting this flaw, explaining that a brute-force attack can bypass the security hash in just a few hours to a week. Chloe Chamberland from Wordfence also warned that this vulnerability is likely to be actively exploited soon if users do not update promptly.
The vulnerability highlights the ongoing security risks in popular plugins. Earlier this year, a similar flaw, CVE-2023-40000, was exploited to create rogue admin accounts on LiteSpeed-powered sites. Users are strongly urged to upgrade to LiteSpeed Cache version 6.4.1 or higher.
