Encircle News!

Retro Game Arcade
, , ,

Watch out — hackers can exploit this plugin to gain full control of your WordPress site

TechRadar – All the latest technology news

An older version of LiteSpeed Cache, a popular plugin for the WordPress website builder, is vulnerable to a high-severity flaw that hackers have been increasingly exploiting.

The flaw is described as an unauthenticated cross-site scripting vulnerability, and tracked as CVE-2023-40000. It carries a severity score of 8.8. 

By adding malicious JavaScript code directly into WordPress files through the plugin, the attackers are able to create new administrator accounts, essentially completely taking over the website. Admin accounts can be used to modify the site’s content, add or remove plugins, or change different settings. Victims can be redirected to malicious websites, served malicious advertising, or have their sensitive user data taken. 

Mitigations and fixes

The flaw was uncovered by WPScan, a cybersecurity project serving as an enterprise vulnerability database for WordPress. Its researchers observed increased activity from different hacking groups, as they scan the internet for compromised WordPress sites. These are all running LiteSpeed Cache version 5.7.0.1 or older. The current version is 6.2.0.1 and is considered immune to this flaw.

One threat actor made more than a million probing requests in April 2024 alone, it was said. 

Allegedly, LiteSpeed Cache has more than five million active users, of which roughly two million (1,835,000) are using the outdated, vulnerable variant. 

LiteSpeed Cache is a plugin promising faster page load times, better user experience, and improved Google Search Results Page positions.

Those fearing they might get targeted are advised to update their plugins to the latest version as soon as possible. Furthermore, they should uninstall all plugins and themes they are not actively using, and delete all suspicious files and folders. 

Those suspecting they might have been targeted already, should look for suspicious strings in the database: “Search in [the] database for suspicious strings like 'eval(atob(Strings.fromCharCode,'” WPScan said. “Specifically in the option litespeed.admin_display.messages.”

Via BleepingComputer

More from TechRadar Pro

https://www.techradar.com/pro/security/watch-out-hackers-can-exploit-this-plugin-to-gain-full-control-of-your-wordpress-site

Leave a Reply

Your email address will not be published. Required fields are marked *

Follow Us

Featured Posts

May 2024
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  

About Us

Welcome to encircle News! We are a cutting-edge technology news company that is dedicated to bringing you the latest and greatest in everything tech. From automobiles to drones, software to hardware, we’ve got you covered.

At encircle News, we believe that technology is more than just a tool, it’s a way of life. And we’re here to help you stay on top of all the latest trends and developments in this ever-evolving field. We know that technology is constantly changing, and that can be overwhelming, but we’re here to make it easy for you to keep up.

We’re a team of tech enthusiasts who are passionate about everything tech and love to share our knowledge with others. We believe that technology should be accessible to everyone, and we’re here to make sure it is. Our mission is to provide you with fun, engaging, and informative content that helps you to understand and embrace the latest technologies.

From the newest cars on the road to the latest drones taking to the skies, we’ve got you covered. We also dive deep into the world of software and hardware, bringing you the latest updates on everything from operating systems to processors.

So whether you’re a tech enthusiast, a business professional, or just someone who wants to stay up-to-date on the latest advancements in technology, encircle News is the place for you. Join us on this exciting journey and be a part of shaping the future.

Podcasts

TWiT 979: Musk-stache – Solar Storms, Apple and OpenAI, Tesla Layoffs This Week in Tech (Audio)

Solar Storm Knocks Out Farmers' Tractor GPS Systems During Peak Planting Season Apple Closes in on Deal With OpenAI to Put ChatGPT on iPhone Apple Will Revamp Siri to Catch Up to Its Chatbot Competitors Google is getting even worse for independent sites Musk Plans More Layoffs as Two Senior Tesla Executives Depart At Tesla, a Wild Week That Defined the Company's Future TikTok Sues US Government Over Potential Ban Telegram vs. Signal Sony reverses unpopular Helldivers 2 decision after blistering player reaction Apple apologizes for 'Crush' iPad Pro ad that sparked controversy Host: Leo Laporte Guests: Paris Martineau, Sam Abuelsamid, and Mike Elgan Download or subscribe to this show at https://twit.tv/shows/this-week-in-tech Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: bitwarden.com/twit NetSuite.com/TWIT mintmobile.com/twit eufy.com ZipRecruiter.com/Twit
  1. TWiT 979: Musk-stache – Solar Storms, Apple and OpenAI, Tesla Layoffs
  2. TWiT 978: Baptized in Gatorade – AI Priest, FCC Fines, Jack Dorsey Leaves Bluesky
  3. TWiT 977: Gahoo Yoogle – TikTok Ban, Intel's Struggles, Google's Ensh*ttification
  4. TWiT 976: Serial Churners – Netflix Earnings, Cybertruck Recall, FISA
  5. TWiT 975: You Don't Want to Make Gandhi Mad – AI Music, Broadband Nutrition Labels