5 million Wordpress sites at risk: Critical leak in LiteSpeed cache
The Wordpress plug-in LiteSpeed Cache is installed on 5 million websites. Now IT researchers have discovered a critical security vulnerability in it.
(Image: David MG / Shutterstock.com)
IT security researchers have discovered a critical vulnerability in the Wordpress plug-in LiteSpeed Cache that allows attackers to completely compromise an instance. According to Wordfence, the plug-in is used on more than 5 million websites. IT managers should quickly ensure that they have the latest version of the plug-in active.
The vulnerability was discovered because it was closed with a new plug-in version of LiteSpeed Cache on Monday, the IT researchers at Wordfence explain in their security release. "We have found that it is possible for unauthenticated attackers to spoof their user ID in vulnerable versions, which ultimately allows them to register as an administrative user and completely take over a WordPress site," the analysts explain (CVE-2024-28000, CVSS 9.8, risk"critical").
Plug-in vulnerability: Abuse expected soon
The authors strongly recommend that administrators update their websites to the latest patched version of LiteSpeed Cache, currently 6.4.1, as soon as possible. "We have no doubt that the vulnerability will be actively exploited very soon," they explain.
LiteSpeed cache versions up to and including 6.3.0.1 are affected, the gap closes version 6.4 and newer. The Wordfence security announcement provides more details on the vulnerability.
Wordpress plug-ins remain a constant source of security vulnerabilities. On Wednesday of this week, it became known that a critical vulnerability exists in the GiveWP plug-in, which endangers around 100,000 WP instances on which it is used. Updated software is already available for this as well.
(dmk)