Nigeria has issued an urgent warning about a critical security flaw that has affected over five million WordPress sites using the popular LiteSpeed Cache plugin.
The flaw allows attackers to gain full control of the affected websites without any authentication on the Litespeed cache, a popular plugin that is used to make WordPress sites load faster, and improve websites performance by storing frequently accessed data in a cache.
NITDA: WordPress security flaw could cause data theft
According to the Nigeria Information Technology Development Agency (NITDA), the Federal IT agency that issued the warning, the vulnerability stems from a defect in the plugin’s “role simulation” feature. If exploited, attackers can manipulate this flaw to obtain administrative access, which could lead to severe consequences, including the installation of malicious plugins, data theft, and redirecting site visitors to harmful websites.
NITDA said in the statement that “the simplicity of the attack vector, combined with a weak hash function, makes it easy for attackers to exploit this vulnerability by guessing via brute-forcing or exploiting exposed debug logs.”
The implications of CVE-2024-28000 are significant, especially given the millions of installations of the LiteSpeed Cache plugin, the agency warned while adding that the potential for widespread exploitation raises alarms about an increase in cyberattacks targeting vulnerable sites.
To mitigate this, NITDA strongly advises website administrators using the LiteSpeed Cache plugin to update to the latest version, 6.4.1, as soon as possible. To perform the update, log in to your WordPress dashboard, navigate to the “Plugins” section, and apply the necessary updates.
Additionally, website administrators should disable debugging and conduct regular audits as a preventive measure. “Ensure that debugging is turned off on live websites to reduce exposure to attacks,” and “conduct regular audits of plugin settings and configurations to identify and address potential vulnerabilities,” NITDA said.