Litespeed Cache bug exposes millions of WordPress sites to takeover attacks

A critical unauthenticated privilege-escalation vulnerability (CVE-2024-28000) in the LiteSpeed Cache WordPress plugin (<= 6.3.0.1) allows attackers to brute-force a weak litespeed_hash value and create admin accounts to take over sites; a patch was released in versions 6.4/6.4.1 but many of the millions of installations appear unpatched and evidence of scanning and prior exploitation of related LiteSpeed flaws indicates active or imminent abuse.