A critical security vulnerability has been uncovered in the LiteSpeed Cache plugin for WordPress, impacting over five million websites. Discovered by security researcher John Blackbourn, this flaw poses a severe risk, allowing unauthorized users to gain administrator-level access to websites.
Patchstack, a leading security platform, awarded Blackbourn a record-breaking $14,400 bounty for his discovery—the highest ever in WordPress bug bounty history.
Understanding the Vulnerability #
The vulnerability, identified as CVE-2024-28000, is classified as an unauthenticated privilege escalation. It exploits a weak security hash within the plugin’s user simulation feature. This feature, designed for the plugin’s crawler function, used a predictable hash based on known values. As a result, attackers could brute-force their way to gain unauthorized access, compromising entire websites.
Key Factors Behind the Vulnerability #
Several factors contributed to this critical flaw:
- The random number generator used to create the security hash relied on a limited set of values, making it predictable.
- The generator lacked cryptographic security, further weakening the hash.
- The hash was stored without salting or connection to specific users, making it universally applicable.
Even websites with the crawler feature disabled were at risk due to an unprotected Ajax handler that allowed hash generation. Patchstack researchers confirmed that a brute-force attack could grant unauthorized access in as little as a few hours.
Record-Breaking Bounty for LiteSpeed Cache Vulnerability #
In recognition of this significant discovery, Patchstack awarded John Blackbourn a $14,400 bounty, the highest ever in the history of WordPress bug bounty hunting. This record-breaking reward underscores the critical nature of the vulnerability and the importance of proactive security measures in the WordPress ecosystem.
Immediate Actions Required
If your website uses the LiteSpeed Cache plugin, immediate action is necessary:
- Update the Plugin: Upgrade to version 6.4 or higher of the LiteSpeed Cache plugin.
- Review User Accounts: Audit your site’s user list and remove any suspicious administrator accounts.
- Implement Temporary Mitigations: If an immediate update isn’t possible, consider temporary measures like modifying the router.cls.php file or applying mod_sec rules as detailed in LiteSpeed’s official blog.
Conclusion
The discovery of this vulnerability highlights the importance of maintaining up-to-date software. The LiteSpeed team responded quickly, but website owners must act immediately to protect their sites. By updating to the latest version of the LiteSpeed Cache plugin and following additional security recommendations, you can safeguard your website from potential attacks.
Don’t delay—secure your website now by updating the LiteSpeed Cache plugin to the latest version.