A critical vulnerability in the LiteSpeed Cache WordPress plugin tracked as CVE-2024-28000 is being actively exploited by hackers just one day after its technical details were made public, according to BleepingComputer.
The flaw affects all versions of the plugin up to 6.3.0.1 and allows attackers to escalate privileges without authentication, giving them the ability to create rogue administrator accounts. The vulnerability arises from a weak hash check in the plugin's user simulation feature, which can be brute-forced to gain unauthorized access. Exploitation of the flaw could lead to a complete takeover of affected websites, allowing the installation of malicious plugins, alteration of settings, traffic redirection, and data theft. At present, only 30% of the over 5 million sites using LiteSpeed Cache have upgraded to a safe version, leaving millions of websites vulnerable. Wordfence reports having blocked over 48,500 attacks targeting the flaw in just the past 24 hours. Users are strongly advised to update to version 6.4.1 or uninstall the plugin immediately to mitigate the risk.