Critical WordPress LiteSpeed Cache Vulnerability (CVE-2024-28000)

David Pottrell

David Pottrell

Hi! I’m a web developer and Head of Digital at Nebula Design who loves all things tech. When I’m not surrounded by code, I’m probably reading up on the latest development trends or on the pottery wheel.

I got my start in technology as a self-taught web freelancer, after studying at university and joining a small agency, Nebula Design was created. I specialise in both front-end and back-end development, typically around WordPress, I’ve also got expertise in Search Engine Optimisation, Ecommerce and various emerging tech standards.

Published on August 23rd, 2024

This unauthenticated privilege escalation vulnerability, reported by the Patchstack team, has been assigned CVE-2024-28000.

What’s the issue?

A security vulnerability has been found in the LiteSpeed Cache plugin. Given certain conditions, this could allow unauthorised users to gain elevated privileges on your site, which might lead to a full site compromise. Given its severity, researchers have rated it as “Critical,” with a CVSS score of 9.8, and strongly recommend updating to at least version 6.4 immediately. Rafie Muhammad’s post has more details on the technical side of the vulnerability and its patch.

The plugin LiteSpeed Cache, which has over 5 million active installations, is known as the most popular caching plugin in WordPress.

Wordfence blocked 29,816 attacks targeting this vulnerability in the past 24 hours.

The LiteSpeed Cache team has responded swiftly, releasing version 6.4 on August 13, 2024, to patch the vulnerability. But the race against time is on. With millions of sites potentially affected, the update process is a monumental task.

https://patchstack.com/

How Does This Affect Me?

If you’re using the LiteSpeed Cache plugin on a WordPress site, it’s important to take action immediately and update the plugin to version 6.4. Failure to do so could result in your website being compromised by users looking to exploit this vulnerability. If you’re not using WordPress OR this plugin, no need to worry — this doesn’t affect you.

What Should I Do?

If the plugin is installed, you should update it to version 6.4 or higher as soon as possible. This update includes a fix for the security issue. If you have a WordPress Maintenance Agreement with us, we’ve already actioned this for you.