Stay Ahead of Threats: LiteSpeed Cache for WordPress Security Update
At NoFrillsCloud, your website’s security is our top priority. We’ve recently become aware of a new vulnerability in older versions of the LiteSpeed Cache for WordPress plugin (versions 6.3.0.1 and below). We’ve taken immediate action to protect our customers and are providing you with the information you need to ensure your sites remain secure.
The Vulnerability
An unauthenticated privilege escalation was found in the LiteSpeed Cache (LSCache) plugin versions 6.3.0.1 and below.
This vulnerability allows for an attacker to potentially gain elevated access to and take control of your WordPress site without needing to log in. This poses a serious risk to your website’s data and functionality.
The vulnerability has been fixed in the LSCache plugin version 6.4.1 and later. If you have the latest version installed, your website is protected from this specific threat.
For more technical users: The vulnerability exploits a user simulation feature in the plugin which is protected by a weak security hash that uses known values. It has been assigned the identifier CVE-2024-28000. For more technical details, please refer to the security advisory by Patchstack.
Actions Taken by NoFrillsCloud
As soon as we were notified of the vulnerability, we took immediate action:
- Automatic Updates: We’ve updated the LiteSpeed Cache plugin to version 6.4.1 (which includes the fix) for almost all websites hosted on our cPanel Cloud Hosting, Cloud Reseller Hosting, Managed WordPress Hosting, and Managed Cloud Server.
- New Installations: All new installations of the LiteSpeed Cache plugin will now be at least version 6.4.1.
- WAF Rules (September 2024 Update): We’ve rolled out Web Application Firewall (WAF) rules to protect all WordPress installations which are on LiteSpeed Cache plugins older than version 6.5.0.1. The rules will protect against both CVE-2024-28000 and the new CVE-2024-44000 vulnerabilities.
Important Note:
A few websites with specific custom configurations may have been excluded from the automatic update. We strongly recommend that all website owners double-check their LiteSpeed Cache plugin version to ensure it’s at least version 6.4.1.
What to Do if You Host Elsewhere
If you manage WordPress websites hosted on other platforms that use the LiteSpeed Cache plugin, please update to the latest version (6.4.1 or newer) immediately through your WordPress dashboard or with the WP-CLI command:
wp plugin update litespeed-cache
Proactive Protection is Our Priority
We continuously monitor security alerts and act swiftly to safeguard your websites. We’ll keep you informed about critical updates and security recommendations to ensure your online presence remains secure.