'A critical vulnerability in the LiteSpeed Cache WordPress plugin can let attackers take over millions of websites after creating rogue admin accounts. LiteSpeed Cache is open-source and the most popular WordPress site acceleration plugin, with over 5 million active installations and support for WooCommerce, bbPress, ClassicPress, and Yoast SEO. The unauthenticated privilege escalation vulnerability (CVE-2024-28000) was found in the plugin's user simulation feature and is caused by a weak hash check in LiteSpeed Cache up to and including version 6.3.0.1. Security researcher John Blackbourn submitted the flaw to Patchstack's bug bounty program on August 1. The LiteSpeed team developed a patch and shipped it with LiteSpeed Cache version 6.4, released on August 13. Successful exploitation enables any unauthenticated visitors to gain administrator-level access, which can be used to completely take over websites running vulnerable LiteSpeed Cache versions by installing malicious plugins, changing critical settings, redirecting traffic to malicious websites, distributing malware to visitors, or stealing user data.' -- source: https://www.bleepingcomputer.com/news/security/litespeed-cache-bug-exposes-m... Cheers, Peter