LiteSpeed, also termed as LSCache is a WordPress website builder. It ensures fast and quick page load time and an overall enhanced user experience. Additionally, this plugin also makes improvements to the positions of Google Search Results. This plugin also supports bbPress, WooCommerce, and Yoast SEO among others. It is an extremely flexible and powerful cache solution benefiting both large and small websites.

Patchstack researchers have stated that LiteSpeedCache publically exposed the debug.log file. The bug carried a 7.5 severity score. Version 6.4.1 and the previous versions have been considered vulnerable to attacks.

LiteSpeed Cache Plugin: Steps to take against this vulnerability

It has been reported that the critical vulnerability comes from a debug log being exposed in public. This file is called /wp-content/debug.log and the public exposure of this file could let unauthenticated attackers access important information within the file.

Steps should be taken to proactively purge the vulnerabilities. Users have been advised to keep their plugins updated to the newest versions to minimize the risks of attacks. Users are asked to update LiteSpeed Cache to the latest Version 6.5.0.1. Cautions have been put out as the vulnerability, CVE-2024-44000 could lead to attackers taking hold of users’ accounts. The updated patch moves the log file to a different folder inside the LSCache folder. Furthermore, it also randomizes the name of the files.

To reduce the threat of attacks, users have also been asked to place a .htaccess rule denying direct access to log files. This method is helpful as the unauthorized actors can still access the log files by simply knowing the file name.

Suggested:

WordPress 6.6.1: New Maintenance Release for WordPress 6.6.

WordPress Tracks Down XSS Vulnerability- Users To Update To 6.5.2.

The post LiteSpeed Cache Plugin Has A Critical Security Vulnerability appeared first on Tricky Enough.

The challenge is targeted solely towards themes and plugins that have more than five million installations. Wordfence aims to secure the Web by funding vulnerability research and releasing the vulnerabilities accordingly.

Vulnerability researchers interested in participating in the WordPress Superhero Challenge can sign up through Wordfence’s official page.

WordPress Superhero Challenge: Competition details

In addition to the cash prize, selected researchers will also be granted a WordPress Superhero badge which will indicate their spectacular efforts towards the security of WordPress.

The Bug Bounty Program was released by Wordfence in 2023 to remunerate researchers for their efforts in discovering and reporting vulnerabilities confidentially. Researchers are also rewarded based on the vulnerability’s criticality and prevalence, ongoing install counts and exploitation ease. Wordfence has spent more than $300,000 in ‘bounties’ ever since its first launch in 2023.

This program does not include companies like Automattic, Google, Siteground and Brainstorm. This exclusion is because these companies have their separate reward programs.

Threat Intelligence Lead at Wordfence, Chloe Chamberland has stated in an official blog that Wordfence plans to supercharge the amount of research needed for trending products. This would consequently improve the security of millions of site visitors who have the products already installed.

Suggested:

WordPress 6.6.1: New Maintenance Release for WordPress 6.6.

Vulnerability in the WordPress plugin for the Metform Elementor Contact Form Builder.

The post WordPress Superhero Challenge Opened by Wordfence appeared first on Tricky Enough.