Critical security flaw in the LiteSpeed Cache WordPress plugin: 5 million sites affected

On August 19, 2024, a critical vulnerability was identified in the LiteSpeed Cache plugin, used by over 5 million WordPress sites. This flaw allows an unauthenticated attacker to impersonate an administrator, compromising the site's full integrity.

Technical details

The fault was discovered by WordFence.

It affects all versions of the LiteSpeed Cache plugin up to version 6.3.0.1. By exploiting a bug in the role simulation function, an attacker can use a hash to impersonate an administrator. Once this hash has been obtained, he can create an administrator account via the WordPress REST API, enabling him to take control of the site.

The hash used is only six characters long, making it vulnerable to brute-force attacks. What's more, if debugging logs can be accessed, this hash can be easily recovered by an attacker.

What to do?

Don't underestimate this vulnerability. Threats of this type can quickly turn into disasters if not dealt with in time.

The solution is simple: update LiteSpeed Cache to version 6.4.1 or higher. This update corrects the flaw.

If you use Wordfence Premium, Care or Response, a firewall rule was deployed on August 20, 2024 to protect you. Users of the free version will receive this protection from September 19, 2024.

How do you stay protected?

With the WordPress Toolkit on LRob accommodationyou would have been automatically alerted by e-mail of the vulnerability and the update could have been automatic 😎. Backup is complete and daily at LRob, with a full 1-year retention!
A good way to stay one step ahead of security threats.

Categories

Specialized WordPress hosting

Convenient, free, fast and secure

WordPress websites
WordPress, Best CMS for 20 years

Much more than traditional hosting: benefit from simplified management and security tools for WordPress. With expert support included!

WordPress Webmaster

Professional Webmastering by a WordPress Specialist in Orleans
Secure Hosting Included

WordPress websites

Entrust your site to a WordPress specialist, WordPress security expert

Nextcloud hosting

Maintenance included

Nextcloud
The best free collaborative suite

Work efficiently, control your data