ITS IA Alert for LiteSpeed Cache Plugin

This message is intended for U-M IT staff who are responsible for university websites on WordPress, and will be of interest to anyone running a WordPress site.

Summary

A critical vulnerability in the LiteSpeed Cache plugin for WordPress allows threat actors to spoof credentials and gain admin privileges on affected sites.

Problem

An incorrect privilege assignment vulnerability in LiteSpeed Cache versions prior to 6.4 allows unauthenticated site visitors to perform privilege escalation and can allow threat actors to gain administrative privileges on affected systems.

Affected Versions

LiteSpeed Cache plugin versions prior to 6.4. All versions up to, and including, 6.3.0.1 are affected.

Detection

To see if the LiteSpeed plugin is installed on your WordPress server:

  • From the admin dashboard: click on Plugins in the left menu. This will show which plugins are installed and activated. The plugin version is listed after its description.
  • From the command line: The command wp plugin list will list what plugins are installed, along with the version and status for each one. The command wp plugin update can be used to update the plugin to the latest version, or wp plugin delete can be used to uninstall it.  Adding --help to any of these commands displays instructions on how to use that command.

Action Items

Update LiteSpeed Cache plugin to version 6.4 or later. The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21). Updates can be performed from the admin dashboard, or using the command line as noted above.

If you have LiteSpeed installed but not activated, you should delete it or update it before activating. Do not activate older versions of the plugin!

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.