Just one day after detailed technical information about a critical vulnerability in the LiteSpeed Cache WordPress plugin was made public, cybercriminals have begun actively exploiting it.
Identified as CVE-2024-28000, the vulnerability affects all versions of LiteSpeed Cache up to 6.3.0.1 and allows attackers to escalate privileges without authentication.
The issue arises from a weak hash verification in the plugin’s user simulation feature, enabling malicious actors to brute-force the hash value and create unauthorized administrator accounts.
Security researcher Rafie Muhammad from Patchstack detailed the exploitation process in a recent post, demonstrating how attackers can trigger hash generation and perform brute-force attacks to gain elevated privileges. According to Muhammad, cycling through all one million possible security hash values at a rate of three requests per second could allow attackers to assume any user ID within a timeframe ranging from a few hours to a week.
LiteSpeed Cache boasts over five million installations, but currently, only about 30% of users have updated to a secure version, leaving millions of websites vulnerable to attack.
WordPress security firm Wordfence has reported detecting and blocking more than 48,500 attack attempts targeting CVE-2024-28000 in the past 24 hours alone, indicating a significant surge in exploitation activity. Security analyst Chloe Chamberland from Wordfence had anticipated this scenario, warning yesterday, “We have no doubts that this vulnerability will be actively exploited very soon.”
Users of the LiteSpeed Cache plugin are strongly advised to update to the latest version, 6.4.1, immediately to protect their websites from potential attacks. Those who are unable to update promptly should consider temporarily deactivating or uninstalling the plugin until they can apply the necessary security fixes.
