The popular LiteSpeed Cache plugin for WordPress has been found vulnerable to a Cross-Site Request Forgery (CSRF) attack, which could potentially impact over 5 million websites.
The flaw, identified as CVE-2024-3246, was publicly disclosed on July 23, 2024, and has been assigned a CVSS score of 6.1, categorizing it as a medium-severity vulnerability.
CVE-2024-3246 – LiteSpeed Cache Plugin Flaw
According to the Wordfence report, the vulnerability, discovered by security researcher Krzysztof Zając from CERT PL, affects all versions of the LiteSpeed Cache plugin up to and including 6.2.0.1.
The flaw stems from missing or incorrect nonce validation, a critical security measure to prevent CSRF attacks.
This oversight allows unauthenticated attackers to update the token setting and inject malicious JavaScript code via a forged request.
For the attack to be successful, the attacker must trick a site administrator into acting, such as clicking on a malicious link.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
Vulnerability Details:
Affected Version | <= 6.2.0.1 |
Patched Version | 6.3 |
Impact and Mitigation
Given the widespread use of the LiteSpeed Cache plugin, the potential impact of this vulnerability is substantial. If exploited, attackers could inject malicious code, leading to various security issues, including data theft, site defacement, and exploitation of site visitors.
The vulnerability has been patched in version 6.3 of the LiteSpeed Cache plugin. Website administrators are strongly advised to immediately update their plugins to the latest version to mitigate the risk.
The update can be found on the official WordPress plugin repository. Wordfence Intelligence, which tracks vulnerabilities in WordPress plugins, emphasizes the importance of timely updates.
“This vulnerability highlights the critical need for regular plugin updates and vigilance in website security management,” a spokesperson from Wordfence stated.
As the digital landscape continues to evolve, ensuring the security of web applications remains paramount.
The discovery of CVE-2024-3246 is a stark reminder of the vulnerabilities within widely used software and the importance of proactive security measures.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo