WordPress website administrators who utilize the Litespeed Cache plugin are urged to promptly update their sites with the latest plugin release to address a critical vulnerability. This vulnerability could potentially allow an unauthorized attacker to gain control of targeted websites.
Warning: Vulnerability in LiteSpeed Cache Plugin Could Lead to Site Takeover
A security researcher named John Blackbourn from PatchStack recently uncovered a critical privilege escalation vulnerability in the LiteSpeed Cache plugin.
LiteSpeed Cache for WordPress is renowned for its server-level cache and various site optimization features. With over 5 million active installations, it is evident that the plugin is widely used among WordPress users. However, this popularity also means that any vulnerability in the plugin could pose a significant threat to millions of websites.
The vulnerability was found in the plugin’s crawler feature, which includes a user simulation function for performing crawler requests as authenticated users. Unfortunately, due to a weak security hash in this feature, the plugin allowed an unauthorized attacker to impersonate an authenticated user and gain elevated site privileges. In some cases, this could even lead to the installation of malicious plugins and a complete takeover of the website.
This vulnerability, identified as CVE-2024-28000, has been rated as critical and has received a CVSS score of 9.8. It affects all plugin versions up to 6.3.0.1.
For a detailed technical analysis of the vulnerability, you can refer to the recent post by PatchStack.
Vulnerability Resolved in Latest Plugin Update
Upon discovering the vulnerability, Blackbourn responsibly disclosed the flaw to the plugin developers through PatchStack. In response, the developers released a patch with the LiteSpeed Cache plugin version 6.4. As a token of appreciation, the researcher received a $14,400 bounty under the Patchstack Zero Day program for reporting this issue.
It is crucial for all WordPress administrators to update their sites with the latest plugin release to mitigate potential risks. It is recommended to upgrade to the LiteSpeed Cache plugin version 6.4.1, which is the most recent release available on the official plugin page.
We value your feedback, so feel free to share your thoughts in the comments section below.