Millions of websites at risk due to a critical vulnerability affecting the LiteSpeed WordPress cache plugin.
“This vulnerability was reported through the Patchstack WordPress Bug Bounty program, which rewards security researchers for identifying vulnerabilities. The report earned a $14,400 USD bounty. We collaborate directly with both the researcher and the plugin developer to ensure vulnerabilities are properly patched before public disclosure.
Since the beginning of August, we’ve been monitoring the WordPress ecosystem for potential exploitation attempts. So far, there are no signs of mass exploitation, but we anticipate that this vulnerability could soon be targeted.”
When asked about the severity of the vulnerability, Sild emphasized:
“It’s a critical vulnerability, especially concerning due to its widespread use. Hackers are undoubtedly investigating it as we speak.”
What Caused the Vulnerability?
According to Patchstack, the issue stemmed from a plugin feature designed to create a temporary user to crawl the site and generate a cache of web pages. A cache stores copies of web page resources, which are then delivered to browsers, speeding up page load times by reducing server requests to the database.
Patchstack provided a technical explanation:
“The vulnerability exploits a user simulation feature in the plugin, which is protected by a weak security hash generated using known values. Unfortunately, this security hash generation has several flaws that make its possible values predictable.”
Recommendation
Users of the LiteSpeed Cache WordPress plugin are strongly advised to update their sites immediately, as hackers may be actively seeking to exploit this vulnerability. The issue was resolved in version 6.4.1, released on August 19th.
Patchstack WordPress security solution users receive immediate mitigation of vulnerabilities. Patchstack offers a free version, with the paid version starting at just $5/month.