Critical Vulnerability in LiteSpeed Cache Plugin Affects Over 5 Million WordPress Sites
A critical security flaw has been discovered in the LiteSpeed Cache WordPress plugin, potentially affecting more than 5 million websites worldwide. The vulnerability allows hackers to gain administrator rights and upload malicious files and plugins, posing a significant risk to affected sites.
The vulnerability was first reported to Patchstack, through their WordPress Bug Bounty program, which incentivizes researchers to report security issues by offering cash rewards. The flaw was discovered by a researcher who qualified for a $14,400 USD bounty, and Patchstack worked closely with the plugin developer to patch the vulnerability before making it public.
Patchstack founder Oliver Sild discussed the seriousness of the vulnerability with Search Engine Journal, highlighting the potential risks due to the plugin’s large install base. “It’s a critical vulnerability, made particularly dangerous because of its large install base. Hackers are looking into it as we speak,” Sild stated. While no widespread exploitation attempts have been reported, Sild warned that it’s only a matter of time before hackers try to take advantage of the flaw.
The vulnerability arises from a feature in the LiteSpeed Cache plugin that creates a temporary user to crawl the website and generate a cache of web pages. This cache speeds up web page loading by reducing the need for the server to fetch data from the database repeatedly. However, the security flaw lies in the plugin’s user simulation feature, which is protected by a weak security hash. Patchstack explained that this hash uses known values, making it vulnerable to exploitation.
In light of this discovery, WordPress site owners using the LiteSpeed Cache plugin are strongly advised to update their sites immediately. The vulnerability was fixed in version 6.4.1, released on August 19th, 2024. For those using the Patchstack WordPress security solution, instant vulnerability mitigation was provided, ensuring protection even before the official patch was released. Patchstack offers both a free version of its security solution and a paid version, which costs as little as $5 per month.
