The National Information Technology Development Agency (NITDA) has called on users of LiteSpeed Cache plugin for WordPress, to update to the latest version, (6.4.1), to prevent their websites from being attacked.
Mrs Hadiza Umar, Director, Corporate Affairs and External Relations of the agency, said this in a statement in Abuja on Monday.
LiteSpeed Cache for WordPress (LSCWP) is an all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection of optimisation features.
Umar said that a critical security vulnerability (CVE-2024-28000) had been discovered in the LSCWP, affecting over five million websites.
“This vulnerability allows attackers to take complete control of a website without requiring any authentication.
“The vulnerability is due to a flaw in the plugin’s role simulation feature and if exploited, an attacker can manipulate this flaw to gain administrative access to the website.
“This could lead to the installation of malicious plugins, theft of data, or even redirection of site visitors to harmful websites.
“Website administrators using the LiteSpeed Cache plugin are strongly advised to update to the latest version (6.4.1) immediately,” she said.
She noted that the simplicity of the attack vector, combined with a weak hash function, made it easy for attackers to exploit this vulnerability by guessing via brute-forcing or exploiting exposed debug logs.
According to her, to check for updates, log in to your WordPress dashboard and navigate to the Plugins section, where you can update the LiteSpeed Cache plugin.
“As a precautionary measure, administrators should ensure that debugging is disabled on live websites and regularly audit their plugin settings to prevent vulnerabilities from being exploited,” Umar said. (NAN)