BleepingComputer reports that more than five million websites with the LiteSpeed Cache WordPress plugin are at risk of being hijacked in attacks leveraging the critical unauthenticated privileged escalation flaw, tracked as CVE-2024-28000.
Exploitation of the flaw, which was addressed last week, through a brute-force attack iterating and passing all known possible security hash values in the litespeed_hash cookie could facilitate immediate site access through any user ID provided that threat actors know an admin-level user's ID, according to a report from Patchstack. "The difficulty of determining such a user depends entirely on the target site and will succeed with a user ID 1 in many cases," said Patchstack researcher Rafie Muhammad. Such findings have prompted Wordfence to urge immediate updates to version 6.4.1 of LiteSpeed Cache. "We have no doubts that this vulnerability will be actively exploited very soon," said Wordfence threat intel lead Chloe Chamberland.