One other vulnerability was found within the LiteSpeed Cache WordPress plugin—an Unauthenticated Privilege Escalation that would result in a complete web site takeover. Sadly, updating to the newest model of the plugin is probably not sufficient to resolve the difficulty.
LiteSpeed Cache Plugin
The LiteSpeed Cache Plugin is an internet site efficiency optimization plugin that has over 6 million installations. A cache plugin shops a static copy of the info used to create an internet web page in order that the server doesn’t need to repeatedly fetch the very same web page parts from the database each time a browser requests an internet web page.
Storing the web page in a “cache” lowered the server load and hastens the time it takes to ship an internet web page to a browser or a crawler.
LiteSpeed Cache additionally does different web page pace optimizations like compressing CSS and JavaScript recordsdata (minifying), places an important CSS for rendering a web page within the HTML code itself (inlined CSS) and different optimizations that collectively make a web site sooner.
Unauthenticated Privilege Escalation
An unauthenticated privilege escalation is a kind of vulnerability that enables a hacker to realize web site entry privileges with out having to check in as a consumer. This makes it simpler to hack a web site compared to an authenticated vulnerability that requires a hacker to first attain a sure privilege degree earlier than with the ability to execute the assault.
Unauthenticated privilege escalation usually happens due to a flaw in a plugin (or theme) and on this case it’s an information leak.
Patchstack, the safety firm that found the vulnerability writes that vulnerability can solely be exploited beneath two circumstances:
“Energetic debug log characteristic on the LiteSpeed Cache plugin.
Has activated the debug log characteristic as soon as earlier than (not at present lively now) and the /wp-content/debug.log file will not be purged or eliminated.”
Found By Patchstack
The vulnerability was found by researchers at Patchstack WordPress safety firm, which presents a free vulnerability warning service and superior safety for as little as $5/month.
Oliver Sild Founding father of Patchstack defined to Search Engine Journal how this vulnerability was found and warned that updating the plugin will not be sufficient, {that a} consumer nonetheless must manually purge their debug logs.
He shared these specifics concerning the vulnerability:
“It was discovered by our inside researcher after we processed the vulnerability from a number of weeks in the past.
Essential factor to bear in mind with this new vulnerability is that even when it will get patched, the customers nonetheless have to purge their debug logs manually. It’s additionally reminder to not hold debug mode enabled in manufacturing.”
Advisable Course of Motion
Patchstack recommends that customers of LiteSpeed Cache WordPress plugin replace to not less than model 6.5.0.1.
Learn the advisory at Patchstack:
Vital Account Takeover Vulnerability Patched in LiteSpeed Cache Plugin
Featured Picture by Shutterstock/Teguh Mujiono