Critical LiteSpeed Cache Flaw Lets Attackers Create WordPress Admin Accounts
A critical vulnerability in the LiteSpeed Cache plugin for WordPress can let attackers create new user accounts — including administrator accounts — on affected sites, potentially leading to full site takeover. The issue affects unpatched versions prior to 6.4 when the plugin is deployed on Linux-based systems; based on available information, the flaw is not currently believed to be exploitable on Windows-based deployments.
The plugin developer has released a fix in version 6.4, and authorities urged organizations and individuals using WordPress with LiteSpeed Cache to update immediately because no alternative mitigations are available. While exploitation of this specific flaw had not been observed at the time of reporting, prior vulnerabilities in the same product have been widely exploited, increasing the urgency of patching exposed sites.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Traficom warns of critical LiteSpeed Cache vulnerability
Finland's Traficom issued an alert about a critical vulnerability in LiteSpeed Cache versions prior to 6.4 on Linux-based systems. At the time of the alert, exploitation had not been observed and no mitigations other than updating were available.
LiteSpeed Cache 6.4 released to fix critical WordPress plugin flaw
The developers of the LiteSpeed Cache WordPress plugin released version 6.4 to remediate a critical vulnerability affecting Linux-based deployments. The flaw could allow attackers to create WordPress accounts, including administrator accounts, leading to full site takeover.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Kriittinen haavoittuvuus LiteSpeed Cache WordPress -lisäosassa | Traficom
kyberturvallisuuskeskus.fi
Open sourceKriittinen haavoittuvuus LiteSpeed Cache WordPress -lisäosassa | Traficom
kyberturvallisuuskeskus.fi
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
LiteSpeed cPanel Plugin Flaw Lets Shared Hosting Users Escalate to Root
LiteSpeed disclosed and patched **CVE-2026-54420**, a high-severity privilege-escalation flaw in the LiteSpeed cPanel plugin that can let a low-privileged user gain **root** access on shared hosting servers. The bug affects plugin versions before **2.4.8** and stems from improper handling of user-supplied symlinks, a weakness classified as **`CWE-61`**. The issue is especially dangerous on **CloudLinux/CageFS** shared hosting deployments, where a single compromised tenant with FTP or web-shell access could potentially jeopardize other hosted sites on the same server. The vulnerability has been reported as **actively exploited in the wild**, with exploitation observed in May 2026, and carries a **CVSS 8.5** severity rating. LiteSpeed said the fix is included in cPanel plugin version **2.4.8**, bundled with **WHM Plugin v5.3.2.1**, and urged administrators to upgrade immediately or temporarily remove the user-end plugin if patching is not yet possible. Defenders were also advised to review cPanel logs for suspicious activity, including repeated requests to certificate-related endpoints from a single IP address.
Jun 19, 2026
Critical Unauthenticated RCE Vulnerability in W3 Total Cache WordPress Plugin (CVE-2025-9501)
A critical vulnerability (CVE-2025-9501) has been identified in the W3 Total Cache WordPress plugin, affecting versions prior to 2.8.13. This flaw allows unauthenticated attackers to execute arbitrary PHP commands on affected sites by submitting a specially crafted comment, exploiting the `_parse_dynamic_mfunc` function. The vulnerability has been assigned a CVSS score of 9.0, indicating a high risk of remote code execution, and potentially impacts up to 1 million WordPress sites using the vulnerable plugin version. Security researchers warn that exploitation of this vulnerability could allow attackers to fully compromise WordPress installations without authentication, leading to site defacement, data theft, or further malware deployment. Administrators are strongly advised to update W3 Total Cache to version 2.8.13 or later to mitigate the risk, as the vulnerability is remotely exploitable and poses a significant threat to a large number of websites.
Mar 21, 2026
Burst Statistics WordPress Plugin Flaw Enables Admin Takeover Under Active Exploitation
A critical authentication-bypass flaw in the **Burst Statistics** WordPress plugin is being actively exploited to seize administrator access on vulnerable sites. Tracked as `CVE-2026-8181`, the bug affects versions `3.4.0` through `3.4.1.1` and was introduced through improper return-value handling in the plugin’s `is_mainwp_authenticated()` logic for Basic Authentication headers. Security researchers reported that an unauthenticated attacker who knows an administrator username can send arbitrary credentials and be treated as that admin for the request, allowing account impersonation or creation of new administrator accounts on sites running the plugin, which is installed on roughly 200,000 WordPress websites. Wordfence said it observed live attacks and blocked more than 7,400 exploitation attempts in a 24-hour period. Successful compromise could enable follow-on activity including data theft, malware deployment, and malicious site redirection. Defenders were urged to update immediately to **Burst Statistics `3.4.2`** or disable the plugin until patching is possible. Separate disclosures also highlighted another severe WordPress plugin issue, `CVE-2026-6510` in **InfusedWoo Pro** `<= 5.1.2`, where missing authorization checks in the `iwar_save_recipe()` AJAX handler can let unauthenticated attackers craft automation-based authentication bypass leading to administrator-level privilege escalation.
May 15, 2026