"Critical LiteSpeed Cache Plugin Flaw Exposes WordPress Sites"
A security researcher named John Blackbourn, through the Patchstack zero-day bug bounty program, has discovered a critical vulnerability in the LiteSpeed Cache plugin, potentially exposing millions of WordPress sites to severe security risks. The researcher noted that the vulnerability allows unauthorized users to gain administrator-level access and could lead to installing malicious plugins and compromising affected websites. The researcher said the vulnerability arises from the plugin’s weak security hash used in its user simulation feature. The hash is created through an insecure random number generator and stored without being salted or tied to a specific user request. After notification by Patchstack, the LiteSpeed team released a patch for the vulnerability, enhancing hash complexity, introducing one-time-use hashes, and implementing stricter validation procedures. Users of the LiteSpeed Cache plugin are advised to update to version 6.4 immediately to mitigate this security risk.
Infosecurity Magazine reports: "Critical LiteSpeed Cache Plugin Flaw Exposes WordPress Sites"