Act Fast: Critical LiteSpeed Vulnerability
If your WordPress site uses the LiteSpeed Cache plugin, you must take action regarding a new critical security flaw (CVE-2024-28000) that could potentially put your site at risk. This vulnerability allows unauthorized users to gain admin access, potentially leading to a complete takeover. This means that hackers could possibly take full control of your website. A pretty serious concern!
The team at WHC moved quickly to safeguard our clients by applying extra protection specific to this vulnerability across all Web Hosting, Managed WordPress, and Reseller Hosting services. This patch is a temporary protection.
To keep your website secure action is needed on your part. You must update your LiteSpeed Cache plugin to version 6.4 or higher from your WordPress admin dashboard to ensure proper security and feature usability. Here’s exactly what all this means:
Who is affected?
This vulnerability impacts all WordPress sites running LiteSpeed Cache plugin versions 6.3.0.1 and earlier. As one of the most widely used plugins with over five million active installations, it's critical that site owners upgrade to the latest version (6.4) as soon as possible. If your site has not been updated, it remains vulnerable to potential attacks. This issue primarily affects Linux-based servers, meaning Windows-based WordPress sites are not exposed to this particular risk.
What’s the vulnerability?
CVE-2024-28000 stems from a weak security hash in the plugin’s user simulation feature. This flaw allows attackers to exploit the system, spoof user IDs, and gain admin-level access. Once they have admin privileges, they can install malicious plugins, take over your site, and disrupt its operation.
Hackers can use a brute-force method to guess the hash value, which has only one million possible combinations due to the plugin's reliance on an insecure random number generator. Once a valid hash is discovered, attackers can use it to create new admin accounts via the WordPress REST API, giving them full control of your site.
What WHC has done
- Deployed virtual protection for Web Hosting: The team installed a wall of protection specific to this vulnerability on all Web Hosting, Managed WordPress, and Reseller Hosting services until users update the LiteSpeed Cache plugin.
- Prompted users to Update Plugins: Although we’ve added a layer of protection, it's still crucial for you to manually update the plugin to the latest version of LiteSpeed Cache (6.4) through their WordPress admin interface.
- Support for Cloud and Dedicated Server Clients: For those on Cloud or Dedicated servers running LiteSpeed Cache, please follow the official instructions on LiteSpeed’s website for patching or contact our team. We’re ready to assist if needed.
- Continuous Monitoring: Our cybersecurity team is keeping a close eye on any threats and will continue to take action if necessary.
Stay informed and secure
Security vulnerabilities like CVE-2024-28000 highlight the importance of staying vigilant and regularly updating your website's software. WHC is committed to keeping your site protected and providing ongoing support to ensure your online presence is safe.
If you haven’t already, please update your LiteSpeed Cache plugin to the latest version as soon as possible. If you’re unsure whether your site is secure or need assistance, don’t hesitate to contact us. Our team is here to help, 24/7.
Thank you for your trust in us.
Comments
Leave a Reply Laisser un commentaire
Leave a Reply Laisser un commentaire
Also on the WHC Blog
PHP 8.2 and 8.3 are now available
PHP 8.2 & 8.3 are now available on WHC's Web Hosting, Reseller Hosting, and Managed WordPress plans. For Cloud and Dedicated plans, these new versions are available provided you have the latest cPanel version. These upgrades...
Read full articleLock in your rate before domain prices go up
Verisign, the registry for .COM, is raising its prices again, drawing scrutiny and concerns from government officials and industry leaders. Essentially, starting September 1, 2024, the price of .COM domains—both new...
Read full article
Do you know if I have the updated, safe version?
Hello,
To check if you have the updated version of LiteSpeed Cache:
1. Log in to your WordPress Dashboard.
2. Go to Plugins.
3. Find LiteSpeed Cache in the list and check the version number next to it.
The latest version is 6.4.1. If your version matches this, you’re up to date! If not, an update option will appear. If you have any concerns or need further assistance, feel free to reach out to our support team.