A vulnerability affecting 5 million sites has been discovered in the popular WordPress cache plugin LiteSpeed Cache 6.3.0.1 and below. We recommend updating as soon as possible.

Vulnerability in LiteSpeed Cache 6.3.0.1 and lower allows hijacking of logged-in users

LiteSpeed Cache is a popular cache plugin installed on over 5 million sites,

According to

https://patchstack.com/articles/critical-privilege-escalation-in-litespeed-cache-plugin-affecting-5-million-sites?_s_id=cve

the vulnerability allows hackers to steal the credentials of a user who is currently logged in to WordPress and allow hacker to log in from a different location.
In other words, an administrator user could be hijacked without authentication and WordPress could be manipulated through that user.
The ID of the vulnerability is CVE-2024-28000.

The severity of the vulnerability can be seen by the fact that the finder of this vulnerability was paid a reward of US$14,400, the highest amount ever paid by the WordPress team.

Patch LiteSpeed Cache Vulnerability

To find out if this vulnerability is on your site, please use our plugin and use valunarbility checker.

[Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].

The code modifications made by the LiteSpeed Cache team to close the vulnerability can be found below, but they are complex and may be difficult to do manually.

https://plugins.trac.wordpress.org/changeset/3135111/litespeed-cache/trunk

The easiest way to close the LiteSpeed Cache vulnerability is to update the LiteSpeed Cache plugin to version 6.4 or higher.
We recommend that you take action as soon as possible.

Related Posts:

  1. Vulnerability in wordpress plugin yuzo related posts, plugin cannot be downloaded
    There is a vulnerability in the wordpress plugin yuzo related posts, but no update has been released. this article explains how to resolve the vulnerability in yuzo related posts....
  2. Are WordPress sites vulnerable and easily hacked?
    How easy is a WordPress site to be hacked really? We would like to examine these numbers and probabilities and consider how easy it is for a WordPress site to be hacked....
  3. Vulnerability in File Manager Plugin, which allows WordPress to operate like FTP software
    The File Manager plug-in, which enables file manipulation on the administration screen like FTP software and has been installed on over 700,000 sites, has a very dangerous vulnerability in version 6.9 or lower....
  4. [Urgent] File Upload Vulnerability in Contact Form 7 v5.3.1 and Below
    A file-uploadable (most dangerous) vulnerability was discovered in the Contact Form 7 plugin 5.3.1 and below, which is installed in 5 million sites....
  5. What is a 0Day attack that exploits a WordPress vulnerability?
    About 60% of WordPress tampering damage is caused by vulnerabilities in the old WordPress itself and plugins. Some of these are 0-day attacks. This is explained here....
  6. Serious Vulnerability in WordPress Jetpack Plugin
    A serious vulnerability has been discovered in the Jetpack plugin for WordPress and a version update has been distributed. This section explains how to deal with this vulnerability....