A recent vulnerability has been identified in the LiteSpeed Cache plugin for WordPress, putting users at risk of unauthorized access to their websites. The vulnerability allows attackers to trigger hash generation through an unprotected Ajax handler, potentially compromising all sites using LiteSpeed Cache, regardless of whether the crawler feature is enabled or not. This discovery has raised concerns among the WordPress community, prompting LiteSpeed to urge users to upgrade to version 6.4 or higher immediately.
The vulnerability, which requires the LiteSpeed crawler to be enabled and used at least once to generate a hash, has left many WordPress site owners vulnerable to potential attacks. Even sites that do not have the crawler feature enabled are at risk due to the unprotected Ajax handler that can be used to trigger hash generation. LiteSpeed has emphasized the importance of upgrading to the latest version of the plugin to address this security flaw and protect users’ websites from unauthorized access.
One key point highlighted in the report is that Windows systems are not affected by this vulnerability. LiteSpeed has confirmed that the function required to generate the hash is not available in Windows, making it impossible for the vulnerability to be exploited on Windows-based WordPress instances. However, sites using Linux environments are still at risk, as the hash can be generated on these operating systems, potentially leading to unauthorized access to websites.
To mitigate the risk posed by this vulnerability, LiteSpeed has recommended that users not only upgrade to version 6.4 or higher but also check their sites’ user lists for any unrecognized accounts with administrator privileges and delete them. These temporary measures can help prevent unauthorized access to websites while users work to upgrade to the latest version of the plugin. LiteSpeed has provided detailed instructions on how to implement these measures in a blog post outlining the issue.
Overall, the discovery of this vulnerability in the LiteSpeed Cache plugin serves as a reminder of the importance of keeping plugins and software up to date to ensure the security of WordPress websites. By taking proactive measures to address security vulnerabilities and staying informed about potential risks, users can better protect their websites from unauthorized access and potential data breaches. As the WordPress community works to address this vulnerability, users are encouraged to follow LiteSpeed’s recommendations and prioritize the security of their websites.