The flaw, identified as CVE-2024-28000, allows unauthenticated attackers to elevate their privileges and take full control of vulnerable websites by creating administrator accounts, installing malicious plugins, and potentially redirecting traffic or distributing malware.
LiteSpeed Cache is one of the most popular WordPress caching plugins, used by singapore company email list over five million websites. It optimizes website performance by caching versions of pages to reduce loading times.
However, this same optimization functionality harbored a serious vulnerability in the user simulation function, which uses a weak security hash.
This hash, which is a combination of characters generated to validate operations, is limited to a reduced number of possible combinations (only one million).
This makes the hash susceptible to brute force attacks, thus allowing unauthenticated attackers to discover the correct value and assume the identities of users with administrative privileges.
With this, they can create new administrator accounts, modify critical settings, and install malicious plugins to compromise the website.
Impact and recommended actions on WordPress sites
The vulnerability affects all versions of the plugin up to 6.3.0.1, and will be fixed in version 6.4, released in August 2024.
Although the patch is available, it is estimated that many sites have not yet updated the plugin, remaining vulnerable to attacks.
WordPress site administrators using LiteSpeed Cache are strongly advised to update the plugin to the latest version immediately.
Additionally, it is advisable to review user accounts on the site to ensure that there are no suspicious accounts and, therefore, implement temporary mitigation measures, such as adjusting plugin files or adding security rules, if it is not possible to perform the update immediately.