Although this attack requires that the crawler has been enabled (it is disabled by default) and used at least once to generate a hash, the researchers further discovered than an unprotected Ajax handler could be called to trigger hash generation. “This means all sites using LiteSpeed Cache — not just those with its crawler feature enabled — are vulnerable,” the report said.
Windows systems not affected
Windows systems are immune to the vulnerability, the report continued, because a function required to generate the hash is not available in Windows, which, it said, “means the hash cannot be generated on Windows-based WordPress instances, making the vulnerability exploitable on other [operating systems] such as Linux environments.”
LiteSpeed “strongly recommends” that users upgrade to version 6.4 or higher of the plugin immediately, and also check their sites’ user lists for any unrecognized accounts with administrator privileges and delete them. If an upgrade isn’t immediately possible, it offered some temporary measures to mitigate the risk in its blog post describing the issue.