Worrying WordPress plugin security flaw could let hackers hijack your site

LiteSpeed Cache, an immensely popular WordPress plugin for site performance optimization, suffered from a vulnerability which allowed threat actors to gain admin status.

With such elevated privileges, they would be able to perform all sorts of malicious activities on the compromised websites.

According to researchers from Patchstack, the vulnerability was discovered in the is_role_simulation function, and it is relatively similar to a different vulnerability that was discovered last summer. The function apparently used a weak security hash check that could be broken with brute force, granting the attackers the ability to abuse the crawler feature and simulate a logged-in administrator.

Who is vulnerable?

There are a few factors that need to align before the vulnerability can be abused, though.

That includes having the crawler turned on, with run duration between 2500 and 4000, and the intervals between runs being set to 2500- 4000. Furthermore, Server Load Limit should be set ...