A critical security flaw in the popular WordPress plugin, LiteSpeed Cache, is being actively exploited by hackers to take complete control of vulnerable websites. This alarming discovery, reported by WPScan, reveals that attackers are using the vulnerability (CVE-2023-40000) to create rogue admin accounts, granting them unrestricted access and the ability to manipulate websites at will.
The vulnerability, a stored cross-site scripting (XSS) flaw, was disclosed in February 2024 and patched in October 2023. However, with over 5 million active installations of LiteSpeed Cache, a significant number of websites remain at risk as they haven’t updated to the latest secure version.
Consequences of the Litespeed Cache Hack
Gaining admin access allows attackers to wreak havoc on compromised websites. They can inject malware, install malicious plugins, steal sensitive data, redirect visitors to phishing sites, and deface websites, among other harmful actions.
How to protect your WordPress site
Update LiteSpeed Cache immediately: Ensure you are using version 5.7.0.1 or later.
Review all plugins: Check for updates and remove any suspicious or unused plugins.
Scan for malware: Regularly scan your website for malware and backdoors.
Strengthen passwords: Use strong and unique passwords for all admin accounts.
Enable automatic updates: Keep your WordPress core, plugins, and themes updated automatically to benefit from the latest security patches.
{{user}} {{datetime}}
{{text}}