Critical LiteSpeed Cache Vulnerability Exposes 6 Million WordPress Sites to Hacking Risk

A major security flaw in the LiteSpeed Cache plugin for WordPress allows hackers to take over websites. Updating alone won’t fix the issue—manual steps are required to secure your site. Learn how to protect your WordPress site from this critical vulnerability.

Critical LiteSpeed Cache Vulnerability Exposes 6 Million WordPress Sites to Hacking Risk
Photo by Choong Deng Xiang / Unsplash

A critical vulnerability has been discovered in the LiteSpeed Cache WordPress plugin, affecting over 6 million websites. This security flaw, identified as an Unauthenticated Privilege Escalation, could lead to a complete site takeover by malicious actors. Shockingly, simply updating the plugin may not fully resolve the problem, as additional manual steps are required to secure vulnerable sites.

LiteSpeed Cache Plugin Overview

The LiteSpeed Cache Plugin is a popular performance optimization tool for WordPress. Its primary function is to cache web pages—storing static copies of data used to create web pages. By doing so, the server avoids repeatedly retrieving identical page elements from the database each time a browser requests a page. This reduces server load and significantly speeds up page load times for both users and search engine crawlers.

In addition to caching, LiteSpeed Cache offers a variety of page speed enhancements, such as:

  • Minifying (compressing) CSS and JavaScript files
  • Inlining critical CSS to improve rendering speed
  • Managing image optimizations, lazy loading, and other features designed to boost website performance

The Vulnerability: Unauthenticated Privilege Escalation

The newly discovered vulnerability is classified as an unauthenticated privilege escalation, meaning attackers can gain site access without needing to authenticate as a legitimate user. This makes it easier for hackers to compromise a site compared to vulnerabilities that require an attacker to have a certain level of access first. Once exploited, attackers can potentially escalate their privileges, leading to a complete takeover of the site.

This specific vulnerability stems from a data leak within the plugin and can be exploited under two conditions:

  1. The debug log feature on the LiteSpeed Cache plugin is active.
  2. The debug log feature was activated at least once before, and the file /wp-content/debug.log has not been purged or removed.

In cases where these conditions are met, attackers can exploit the information contained in the log file to gain unauthorized access to the website.

Discovery and Expert Insights

The vulnerability was uncovered by researchers at Patchstack, a WordPress security firm that provides a free vulnerability alert service as well as premium advanced protection. Oliver Sild, the founder of Patchstack, emphasized that even after updating to a patched version of the plugin, users still need to manually delete or purge their debug logs to ensure their site is secure.

Sild stated:

"The important thing to keep in mind with this new vulnerability is that even when it gets patched, the users still need to purge their debug logs manually. It’s also a good reminder not to keep debug mode enabled in production."

Patchstack has advised all users of the LiteSpeed Cache plugin to immediately update to at least version 6.5.0.1, which contains a patch for this vulnerability. However, updating alone is not enough—website administrators must also:

  1. Manually purge or remove the debug.log file located in /wp-content/.
  2. Ensure the debug log feature is disabled in production environments, as leaving it enabled unnecessarily increases the risk of vulnerabilities.

Additional Context: The Importance of Securing Debug Logs

Debug logs are invaluable during the development and troubleshooting phases of website maintenance, as they record errors and other relevant information. However, once a site is live, keeping debug logs active in a production environment introduces security risks. Attackers can leverage the detailed information contained within these logs to find potential weaknesses and vulnerabilities in the site’s infrastructure.

As this vulnerability highlights, even the best WordPress plugins can inadvertently expose sites to significant risks. Properly configuring plugins and following security best practices—like purging sensitive files and disabling unnecessary features—are crucial steps in maintaining a secure website.

Conclusion

The discovery of this LiteSpeed Cache vulnerability serves as a timely reminder for site administrators to remain vigilant about plugin security. Updating to the latest version is essential, but equally important is manually clearing debug logs and disabling unnecessary features like debugging in production. As the number of sophisticated attacks on WordPress sites continues to rise, staying on top of security patches and best practices will help safeguard your site against potential takeovers.