One other vulnerability was found within the LiteSpeed Cache WordPress plugin—an Unauthenticated Privilege Escalation that might result in a complete website takeover. Sadly, updating to the most recent model of the plugin might not be sufficient to resolve the difficulty.
LiteSpeed Cache Plugin
The LiteSpeed Cache Plugin is a web site efficiency optimization plugin that has over 6 million installations. A cache plugin shops a static copy of the information used to create an internet web page in order that the server doesn’t need to repeatedly fetch the very same web page parts from the database each time a browser requests an internet web page.
Storing the web page in a “cache” decreased the server load and accelerates the time it takes to ship an internet web page to a browser or a crawler.
LiteSpeed Cache additionally does different web page pace optimizations like compressing CSS and JavaScript recordsdata (minifying), places an important CSS for rendering a web page within the HTML code itself (inlined CSS) and different optimizations that collectively make a website quicker.
Unauthenticated Privilege Escalation
An unauthenticated privilege escalation is a kind of vulnerability that enables a hacker to realize website entry privileges with out having to check in as a consumer. This makes it simpler to hack a website compared to an authenticated vulnerability that requires a hacker to first attain a sure privilege stage earlier than with the ability to execute the assault.
Unauthenticated privilege escalation usually happens due to a flaw in a plugin (or theme) and on this case it’s an information leak.
Patchstack, the safety firm that found the vulnerability writes that vulnerability can solely be exploited beneath two situations:
“Lively debug log characteristic on the LiteSpeed Cache plugin.
Has activated the debug log characteristic as soon as earlier than (not at the moment energetic now) and the /wp-content/debug.log file isn’t purged or eliminated.”
Found By Patchstack
The vulnerability was found by researchers at Patchstack WordPress safety firm, which presents a free vulnerability warning service and superior safety for as little as $5/month.
Oliver Sild Founding father of Patchstack defined to Search Engine Journal how this vulnerability was found and warned that updating the plugin isn’t sufficient, {that a} consumer nonetheless must manually purge their debug logs.
He shared these specifics concerning the vulnerability:
“It was discovered by our inside researcher after we processed the vulnerability from a couple of weeks in the past.
Necessary factor to remember with this new vulnerability is that even when it will get patched, the customers nonetheless must purge their debug logs manually. It’s additionally a superb reminder to not preserve debug mode enabled in manufacturing.”
Really helpful Course of Motion
Patchstack recommends that customers of LiteSpeed Cache WordPress plugin replace to at the least model 6.5.0.1.
Learn the advisory at Patchstack:
Critical Account Takeover Vulnerability Patched in LiteSpeed Cache Plugin
Featured Picture by Shutterstock/Teguh Mujiono
