Aug 27 2024

LiteSpeed Cache Plugin Vulnerability Risked 5+ Million WordPress Websites

Category: Information Security,Web Securitydisc7 @ 11:15 am

WordPress admins using the Litespeed Cache plugin must update their sites with the latest plugin release to address a critical vulnerability. Exploiting the flaw allows an unauthenticated attacker to take control of target websites.

LiteSpeed Cache Plugin Vulnerability Could Allow Site Takeover

The security researcher John Blackbourn from PatchStack discovered a critical privilege escalation vulnerability in the LiteSpeed Cache plugin. LiteSpeed Cache for WordPress offers an exclusive server-level cache and numerous site optimization features. The plugin boasts over 5 million active installations, indicating its popularity among WordPress users. Nonetheless, it also shows how any vulnerability in the plugin potentially threatens millions of websites. Specifically, the vulnerability existed in the plugin’s crawler feature that exhibits a user simulation functionality to perform crawler requests as authenticated users. However, due to a weak security hash in this feature, the plugin allowed an unauthenticated adversary to spoof an authenticated user and gain elevated site privileges. The worst exploitation scenarios even allowed the installation of malicious plugins and a complete site takeover. This vulnerability, identified as CVE-2024-28000, received a critical severity rating and a CVSS score of 9.8. It affected all plugin releases until 6.3.0.1. Detailed technical analysis of the vulnerability is available in the recent post from PatchStack.

Vulnerability Patched With Latest Plugin Release

Upon noticing the vulnerability, Blackbourn responsibly disclosed the flaw via Patchstack to the plugin developers. In response, the developers patched the vulnerability with the LiteSpeed Cache plugin version 6.4. The researcher also received a $14,400 bounty under the Patchstack Zero Day program for this bug report. Since the patch has arrived, all WordPress admins must update their sites with the latest plugin release to avoid potential threats. Ideally, users should update to the LiteSpeed Cache plugin version 6.4.1, which appears as the latest release on the plugin’s official page.


Attribution link: https://latesthackingnews.com/2024/08/26/litespeed-cache-plugin-vulnerability-risked-5-million-wordpress-websites/

Essential WordPress Security Plugins

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Plugin Vulnerability, WordPress, Wordpress security


May 24 2011

Learn to secure Web sites built on open source CMSs

Category: App Security,Information SecurityDISC @ 9:26 pm

CMS Security Handbook: The Comprehensive Guide for WordPress, Joomla, Drupal, and Plone

Open Source Software certainly does have the potential to be more secure than its closed source counterpart. But make no mistake, simply being open source is no guarantee of security.

Learn how to secure Web sites built on open source CMSs (Content Management Systems)

Web sites built on Joomla!, WordPress, Drupal, or Plone face some unique security threats. If you’re responsible for one of them, this comprehensive security guide, the first of its kind, offers detailed guidance to help you prevent attacks, develop secure CMS-site operations, and restore your site if an attack does occur. You’ll learn a strong, foundational approach to CMS operations and security from an expert in the field.

• More and more Web sites are being built on open source CMSs, making them a popular target, thus making you vulnerable to new forms of attack
• This is the first comprehensive guide focused on securing the most common CMS platforms: Joomla!, WordPress, Drupal, and Plone
• Provides the tools for integrating the Web site into business operations, building a security protocol, and developing a disaster recovery plan
• Covers hosting, installation security issues, hardening servers against attack, establishing a contingency plan, patching processes, log review, hack recovery, wireless considerations, and infosec policy
CMS Security Handbook is an essential reference for anyone responsible for a Web site built on an open source CMS.




Tags: CMS, Drupal, Joomla, Open source, Plone, web security, WordPress