Vulnerability Management, Application security

Widespread WordPress site compromise likely with critical LiteSpeed Cache bug

Share
UKRAINE – 2021/11/22: In this photo illustration, the WordPress (WP, WordPress.org) logo is seen on a smartphone and in the background. (Photo Illustration by Pavlo Gonchar/SOPA Images/LightRocket via Getty Images)

BleepingComputer reports that more than five million websites with the LiteSpeed Cache WordPress plugin are at risk of being hijacked in attacks leveraging the critical unauthenticated privileged escalation flaw, tracked as CVE-2024-28000.

Exploitation of the flaw, which was addressed last week, through a brute-force attack iterating and passing all known possible security hash values in the litespeed_hash cookie could facilitate immediate site access through any user ID provided that threat actors know an admin-level user's ID, according to a report from Patchstack. "The difficulty of determining such a user depends entirely on the target site and will succeed with a user ID 1 in many cases," said Patchstack researcher Rafie Muhammad. Such findings have prompted Wordfence to urge immediate updates to version 6.4.1 of LiteSpeed Cache. "We have no doubts that this vulnerability will be actively exploited very soon," said Wordfence threat intel lead Chloe Chamberland.

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.