TapTechNews August 23rd news, the tech media bleepingcomputer yesterday (August 22nd) posted a blog post, reporting that there is a critical vulnerability in the LiteSpeedCache WordPress plugin. Attackers can use this vulnerability to create malicious administrator accounts and take over millions of WordPress websites.
TapTechNews note: LiteSpeedCache is an open-source WordPress plugin and also the most popular WordPress website acceleration plugin, with more than 5 million active installations and supports WooCommerce, bbPress, ClassicPress, and YoastSEO.
The vulnerability tracking number is CVE-2024-28000, which is caused by the weak hash check in LiteSpeedCache version 6.3.0.1 and versions up to and including 6.3.0.1.
Any unauthenticated user who exploits this vulnerability can obtain administrator-level access rights, thereby completely taking control of the website by installing malicious plugins, changing key settings, redirecting traffic to malicious websites, distributing malicious software to visitors, or stealing user data.
Security researcher John Blackbourn submitted this vulnerability to Patchstack's bug bounty program on August 1st.
The LiteSpeed team developed a patch and released it along with the LiteSpeedCache 6.4 version released on August 13th.