A vulnerability affecting 5 million sites has been discovered in the popular WordPress cache plugin LiteSpeed Cache 6.3.0.1 and below. We recommend updating as soon as possible.

Vulnerability in LiteSpeed Cache 6.3.0.1 and lower allows hijacking of logged-in users

LiteSpeed Cache is a popular cache plugin installed on over 5 million sites,

According to

https://patchstack.com/articles/critical-privilege-escalation-in-litespeed-cache-plugin-affecting-5-million-sites?_s_id=cve

the vulnerability allows hackers to steal the credentials of a user who is currently logged in to WordPress and allow hacker to log in from a different location.
In other words, an administrator user could be hijacked without authentication and WordPress could be manipulated through that user.
The ID of the vulnerability is CVE-2024-28000.

The severity of the vulnerability can be seen by the fact that the finder of this vulnerability was paid a reward of US$14,400, the highest amount ever paid by the WordPress team.

Patch LiteSpeed Cache Vulnerability

To find out if this vulnerability is on your site, please use our plugin and use valunarbility checker.

[Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].

The code modifications made by the LiteSpeed Cache team to close the vulnerability can be found below, but they are complex and may be difficult to do manually.

https://plugins.trac.wordpress.org/changeset/3135111/litespeed-cache/trunk

The easiest way to close the LiteSpeed Cache vulnerability is to update the LiteSpeed Cache plugin to version 6.4 or higher.
We recommend that you take action as soon as possible.