TLDR:
- The LiteSpeed Cache plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability impacting over 5 million websites.
- The flaw, identified as CVE-2024-3246, allows attackers to inject malicious code and has been patched in version 6.3 of the plugin.
The popular LiteSpeed Cache plugin for WordPress has been found vulnerable to a Cross-Site Request Forgery (CSRF) attack, which could potentially impact over 5 million websites. The flaw, identified as CVE-2024-3246, was publicly disclosed on July 23, 2024, and has been assigned a CVSS score of 6.1, categorizing it as a medium-severity vulnerability. According to the Wordfence report, the vulnerability affects all versions of the LiteSpeed Cache plugin up to and including 6.2.0.1. The flaw allows unauthenticated attackers to update the token setting and inject malicious JavaScript code via a forged request.
If exploited, attackers could inject malicious code, leading to various security issues, including data theft, site defacement, and exploitation of site visitors. The vulnerability has been patched in version 6.3 of the LiteSpeed Cache plugin, and website administrators are strongly advised to immediately update their plugins to the latest version to mitigate the risk. Wordfence Intelligence emphasizes the critical need for regular plugin updates and vigilance in website security management.