Critical vulnerability (CVE-2024-28000) in LiteSpeed Cache plugin for WordPress is under active attack. Hackers can gain full admin access. Upgrade to v6.4.1 or uninstall immediately.

A critical vulnerability in the popular WordPress plugin, LiteSpeed Cache, is being actively exploited by hackers. This plugin, designed to accelerate website loading times and used by millions of sites, has a flaw that allows unauthorized individuals to gain full administrative control.

Technical Breakdown of the Vulnerability

The vulnerability, officially designated as CVE-2024-28000, affects all versions of LiteSpeed Cache prior to 6.3.0.1. It resides in the plugin’s user simulation feature, where a weak hash check can be brute-forced by attackers to create unauthorized admin accounts.

Successful exploitation of this vulnerability grants attackers the ability to completely take over affected websites. This can include installing malicious plugins that further compromise the site, altering critical settings, redirecting unsuspecting visitors to harmful websites, and even stealing sensitive user data.

Widespread Exploitation and Alarming Statistics

The severity of the situation is amplified by the fact that less than a third of LiteSpeed Cache users have updated to the patched version. This leaves millions of websites exposed and vulnerable to attack.

WordPress security firm Wordfence has reported blocking over 48,500 attacks targeting this vulnerability in just the past 24 hours, underscoring the rapid and widespread nature of the exploitation attempts.

Expert Recommendations and Urgent Call to Action

Security experts are urging all users of LiteSpeed Cache to take immediate action. If you are currently using the plugin, it is imperative to upgrade to the latest version (6.4.1) as soon as possible. If you are unable to upgrade immediately, it is strongly recommended to uninstall the plugin entirely until you can do so.

This incident serves as a stark reminder of the importance of maintaining updated plugins and adhering to security best practices. This is the second major security issue identified in LiteSpeed Cache this year, further emphasizing the need for constant vigilance in protecting WordPress websites from potential threats.

About the author

View All Posts

Vishal Jain

With a Bachelor in Computer Application from VTU and 10 years of experience, Vishal's comprehensive reviews help readers navigate new software and apps. His insights are often cited in software development conferences. His hands-on approach and detailed analysis help readers make informed decisions about the tools they use daily.