A severe security flaw has been discovered in the LiteSpeed Cache WordPress plugin, which could allow attackers to take control of millions of websites by creating unauthorized admin accounts.
The vulnerability, identified as CVE-2024-28000, is an unauthenticated privilege escalation flaw rooted in the plugin’s user simulation feature. The issue, which affects LiteSpeed Cache versions up to 6.3.0.1, stems from a weak hash check.
Security researcher John Blackbourn reported the flaw to Patchstack’s bug bounty program on August 1. In response, the LiteSpeed team released a patched version, LiteSpeed Cache 6.4, on August 13.
If successfully exploited, the vulnerability allows any unauthenticated user to gain administrator access, potentially leading to complete control over affected websites. This access could be used to install malicious plugins, alter critical settings, redirect traffic to harmful sites, distribute malware, or steal user data.
According to Patchstack security researcher Rafie Muhammad, a brute force attack using the “litespeed_hash” cookie can exploit this flaw by cycling through 1 million possible hash values. Even at a low rate of three requests per second, an attacker could gain access to the site as any user ID within a few hours to a week. The only requirement is knowing the Administrator-level user ID and passing it in the “litespeed_role” cookie.
Despite the availability of a patched version, statistics from WordPress’ official plugin repository show that LiteSpeed Cache has been downloaded just over 2.5 million times since the patch release, leaving a significant number of sites still vulnerable.
