LiteSpeed Cache is a Serious Bug That Exposes Millions of WordPress Websites to Risk
As of September 6, 2024, a critical vulnerability in the LiteSpeed Cache plugin poses a significant risk of attacks on millions of WordPress sites. While an update has been released, most websites have yet to install it. This comes shortly after another serious security flaw in the plugin was actively exploited against WordPress sites. Security firm Patchstack anticipates that this latest critical vulnerability will also be widely abused, rating its impact at an alarming 9.8 on a scale from 1 to 10.
LiteSpeed Cache is a plugin designed to enhance the loading speed of WordPress sites, and it is currently utilized by over six million websites. The vulnerability, classified as a "cookie leak" (CVE-2024-44000), allows unauthorised attackers to take over admin accounts. Once they have access, they can install malicious plugins. This vulnerability can only be exploited if the "debug log feature" is enabled or has been enabled in the past, with the /wp-content/debug.log file remaining undeleted. If an attacker accesses this file, they can steal session cookies from users who are currently logged in or have recently logged in.
As of yesterday, version 6.5.0.1 of LiteSpeed Cache has been released, which addresses this issue. At the time of writing, this version has been installed on 1.2 million websites, according to WordPress.org statistics, indicating that a substantial number of WordPress sites remain vulnerable. Reports also suggest that most websites are still using version 6.4.x.
This vulnerability serves as a crucial reminder for website administrators to keep their plugins up-to-date and secure to prevent potential attacks that could compromise their sites.
polonus (A.I.-enhanced)