August 22, 2024 at 02:00AM
A critical security flaw in the LiteSpeed Cache plugin for WordPress (CVE-2024-28000, CVSS score: 9.8) could allow unauthenticated users to gain administrator privileges. It has been patched in version 6.4 released on August 13, 2024. This vulnerability underscores the importance of strong and unpredictable security hashes or nonces in web applications.
Based on the meeting notes provided, the key takeaways are:
1. A critical security flaw (CVE-2024-28000) in the LiteSpeed Cache plugin for WordPress was disclosed by cybersecurity researchers, allowing unauthenticated users to gain administrator privileges.
2. This vulnerability has been patched in version 6.4 of the plugin released on August 13, 2024, but it impacts all versions of the plugin, including and prior to 6.3.0.1.
3. The vulnerability is due to a weak security hash that allows an unauthenticated attacker to spoof their user ID and register as an administrative-level user, potentially taking over a vulnerable WordPress site.
4. It’s important to note that the vulnerability cannot be exploited on Windows-based WordPress installations.
Given the severity of this security flaw and the potential for exploitation by malicious actors, it is crucial that users update their instances to the latest version of the LiteSpeed Cache plugin as soon as possible.