News Heading - 1

WordPress LiteSpeed Plugin Flaw Puts Millions of Sites at Risk

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

Cybersecurity researchers warned WordPress users of a security vulnerability found in one of its plugins – LightSpeed.

One of the most popular cache plugins to improve site performance, LightSpeed cache (free version) boasts active installations of over 4 million. The said vulnerability is an unauthenticated site-wide stored XSS (Cross Site Scripting), that allows unauthorized access to sensitive information.

Moreover, an attacker can also exploit the vulnerability to escalate privileges on the WordPress site with a single HTTP request.

Discovered by the Patchstack team of researchers , the flaw ‘’occurs because the code that handles input from the user doesn’t implement sanitization and output escaping. This case also combined with improper access control on one of the available REST API endpoints from the plugin,’’ the advisory described.

The flaw mainly resides in the function known as update_cdn_status, which is ‘’confirmed as a function handler’’ for LiteSpeed cdn_status REST API endpoint. When exploited, it allows any unauthenticated user access WordPress admin privileges.

‘Since the XSS payload is placed as an admin notice and the admin notice could be displayed on any wp-admin endpoint, this vulnerability also could be easily triggered by any user that has access to the wp-admin area,’’ the advisory detailed.

To prevent the risk associated with the vulnerability, Patchstack researchers advised WP users to update their LiteSpeed cache plugin to the latest version, 6.1 released in February 2024. It also advised developers to limit access to privileged users by implementing permission checks on the affected functions.

‘’We recommend applying escaping and sanitization to any message that will be displayed as an admin notice. Depending on the context of the data, we recommend using sanitize_text_field to sanitize value for HTML output (outside of HTML attribute) or esc_html,’’ the vendor continued.

First discovered on October 17, 2023, the vulnerability tracked as CVE-2023-40000, was fixed in version 5.7.0.1.

News Heading - 2

Hacker Used Stolen Credentials to Breach U-Haul Customer Information

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

In a recent notification, moving truck company U-Haul disclosed a data breach affecting its tens of thousands of customers.

The American truck, trailer, and storage company said that an unauthorized individual used legitimate credentials to access a system called “Dealers and Team Members” to track and view customer reservations and records.

The breach, which was discovered on December 5, 2023, took place between July 20 and October 2, 2023, the company said in a data breach notice filed with the Office of Maine Attorney General .

“U-Haul learned on December 5, 2023, that legitimate credentials were used by an unauthorized party to access a system U-Haul Dealers and Team Members use to track customer reservations and view customer records,” U-Haul explained in an email to customers.

Upon learning of the incident, U-Haul immediately initiated its response protocol, while also engaging a cybersecurity firm to conduct an investigation.

According to the email sent, customers’ names, dates of birth and driver’s license numbers were accessed in this breach. However, the hackers were unable to access any payment or card-related information.

‘’The customer record system that was involved is not part of our payment system. No payment card data was involved,’’ the company stated.

As a remediation measure, it has reset the passwords of all affected customer accounts and deployed additional security safeguards. These were done to protect customer information and to prevent occurrence of similar incidents in the future.

“As a precaution, we are offering you a free one-year membership with Experian IdentityWorksSM Credit 3B. This product helps detect any misuse of your personal information and provides you with identity protection services that focus on immediate identification and resolution of any instance of identity theft,” the breach notification read.

At the time of writing, U-Haul’s website continues to remain offline for undisclosed reasons.