Another top WordPress plugin has a major security flaw — and millions of sites could be affected

News
By published

Flaw allowed threat actors to install additional malicious WordPress plugins

Security
(Image credit: Pixabay)

LiteSpeed Cache (free version), arguably the world’s most popular WordPress plugin for site optimization, was vulnerable in a way that allowed hackers to obtain admin-level privileges and essentially take over the websites that had it installed.

This is according to the WordPress vulnerability mitigation project, Patchstack, whose member, John Blackbourn, discovered and reported the flaw.

As per the WordPress Plugins page, LiteSpeed Cache has more than five million active installations at press time, meaning the potential attack surface could be quite extensive.

Big bounty

LiteSpeed Cache is a plugin for the WordPress website builder designed to help optimize websites for speed. It features an exclusive server-side cache, as well as a wide variety of optimization features. WordPress Multisite is supported, and the plugin is compatible with the majority of other popular solutions, such as Yoast SEO, or WooCommerce. It’s generally designed for WordPress sites that use the LiteSpeed Web Server, but it works with Apache, and Nginx, too

The vulnerability was found in the plugin’s user simulation feature, which was protected by a weak security hash that uses known values, the researcher explained. A hacker would be able to brute force all one million known possible values for the security hash and pass them in the litespeed_hash cookie in mere hours, it was said. The only prerequisite was knowing the admin’s ID, which is just “1” in many cases.

The vulnerability is now tracked as CVE-2024-28000. Web admins running this plugin on their website are advised to update it to the latest version (6.4) immediately, since this version mitigates the problem. Failing to do so could result in complete website takeover, since the flaw allows attackers to install other plugins, at will.

The researcher who found the bug, John Blackbourn, was awarded $14,400 in cash for his work, the highest bounty in the history of WordPress bug bounty hunting, Patchstack concluded.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over a million WordPress sites exposed to attack from W3 Total Cache plugin flaw
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Top WordPress plugins found to have some serious security flaws, so make sure you're protected
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
WordPress
Another top WordPress plugin found carrying critical security flaws
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
WordPress
WordPress users beware - these popular theme plugins have some major security issues
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
More about security
Money

Financial leaders still rely on regular tools like Excel for automation tasks over AI
Half man, half AI.

Generative AI has a long way to go as siloed data and abuse of its capacity remain a downside – but it does change the game for security teams
A person in a wheelchair working at a computer.

Why betting on Mac security could put your organization at risk
See more latest
Most Popular
BraX3
This obscure brand wants to launch the most privacy-friendly smartphone ever without Google, but with a mysterious open-source OS at its core
HAMR
Seagate reportedly sold two billion GBs worth of storage to two of the world's largest tech companies
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
Oracle
Bluehost owner is moving to Oracle Cloud, so could thousands of websites be about to migrate?
Money
Financial leaders still rely on regular tools like Excel for automation tasks over AI
Two examples of the Asus Fragrance Mouse MD101 sitting on a table
Your next computer mouse could have a fragrance compartment for aromatherapy oils – and this Asus idea is nothing to sniff at
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models