At a glance.
- WordPress plugin vulnerability affects over 5 million sites.
- Google patches Chrome zero-day.
- US Justice Department charges alleged member of the Karakurt ransomware group.
WordPress plugin vulnerability affects over 5 million sites.
A patch has been issued for a critical privilege escalation flaw affecting the LiteSpeed Cache plugin for WordPress sites, Infosecurity Magazine reports. LiteSpeed Cache is the most popular caching plugin for WordPress, with more than 5 million installations. Patchstack has published a report on the vulnerability, stating, "The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain Administrator level access after which malicious plugins could be uploaded and installed. The vulnerability exploits a user simulation feature in the plugin which is protected by a weak security hash that uses known values."
Security researcher John Blackbourn discovered the flaw and was awarded $14,400 through the Patchstack Zero Day bug bounty program, which Patchstack notes is "the highest bounty in the history of WordPress bug bounty hunting."