CVE-2024-28000

Name of the Vulnerable Software and Affected Versions LiteSpeed Cache versions 1.9 through 6.3.0.1

Description A critical flaw in the LiteSpeed Cache plugin could allow attackers to gain admin access to WordPress sites. This issue affects over 5 million sites, leaving businesses exposed to severe security risks. The vulnerability stems from a weak security hash in the plugin's user simulation feature, making it possible for a remote unauthenticated attacker to obtain administrator rights. The hash has only a million possible values, allowing for brute-force attacks that can take from several hours to a week. The vulnerability is being actively exploited, with over 30,000 attack attempts blocked in just 24 hours.

Recommendations Update to version 6.4 or higher to secure your site. As a temporary workaround, consider disabling the vulnerable plugin until a patch is available. Restrict access to the plugin's user simulation feature to minimize the risk of exploitation. Avoid using the plugin's caching functionality until the issue is resolved.