LiteSpeed Cache Plugin Flaw Let Attackers Inject Malicious Code, 5M+ Sites Impacted

The approved LiteSpeed Cache plugin for WordPress has been found at risk of a Dreary-Space Query Forgery (CSRF) assault, which might perhaps perhaps presumably potentially affect over 5 million web sites.

The flaw, identified as CVE-2024-3246, became as soon as publicly disclosed on July 23, 2024, and has been assigned a CVSS ranking of 6.1, categorizing it as a medium-severity vulnerability.

CVE-2024-3246 – LiteSpeed Cache Plugin Flaw

In accordance to the Wordfence file, the vulnerability, found by security researcher Krzysztof Zając from CERT PL, affects all versions of the LiteSpeed Cache plugin as much as and including 6.2.0.1.

The flaw stems from lacking or erroneous nonce validation, a severe security measure to pause CSRF assaults.

This oversight enables unauthenticated attackers to replace the token setting and inject malicious JavaScript code by approach of a solid put a query to.

For the assault to be a success, the attacker must trick a neutral administrator into appearing, equivalent to clicking on a malicious hyperlink.

Vulnerability Miniature print:

Influence and Mitigation

Given the in style protest of the LiteSpeed Cache plugin, the aptitude affect of this vulnerability is gargantuan. If exploited, attackers might perhaps perhaps presumably inject malicious code, main to masses of security points, including files theft, neutral defacement, and exploitation of neutral guests.

The vulnerability has been patched in version 6.3 of the LiteSpeed Cache plugin. Net pages administrators are strongly educated to directly replace their plugins to potentially the most modern version to mitigate the chance.

The replace might perhaps perhaps presumably fair be found on the professional WordPress plugin repository. Wordfence Intelligence, which tracks vulnerabilities in WordPress plugins, emphasizes the importance of wisely timed updates.

“This vulnerability highlights the severe want for abnormal plugin updates and vigilance in site security administration,” a spokesperson from Wordfence acknowledged.

As the digital landscape continues to evolve, guaranteeing the safety of web applications remains paramount.

The discovery of CVE-2024-3246 is a stark reminder of the vulnerabilities within widely damaged-down tool and the importance of proactive safety features.