An acute vulnerability has surfaced in the LiteSpeed Cache plugin for WordPress, exposing websites to potential privilege escalation attacks by unauthorized entities. This high-risk flaw, identified as CVE-2024-50550 and rated at 8.1 on the CVSS scale, allows non-verified users to elevate privileges, thus posing a substantial security threat until resolved in plugin version 6.5.2.
“This flaw permits privilege escalation by unauthenticated users, allowing them to gain administrator-level access and install harmful plugins,” explained Rafie Muhammad, a security researcher at Patchstack, in his analysis.
LiteSpeed Cache, a favored WordPress plugin for site optimization and advanced caching, boasts over six million installations. However, this newly identified vulnerability, linked to the function is_role_simulation
, closely mirrors an earlier security issue from August 2024 (CVE-2024-28000, CVSS score: 9.8). It exploits a weak security hash that could be brute-forced, enabling attackers to misuse the crawler function and simulate a logged-in user, including those with administrative privileges.
Successful exploitation hinges on specific configurations within the plugin:
- Crawler -> General Settings -> Crawler: ON
- Crawler -> General Settings -> Run Duration: 2500 – 4000
- Crawler -> General Settings -> Interval Between Runs: 2500 – 4000
- Crawler -> General Settings -> Server Load Limit: 0
- Crawler -> Simulation Settings -> Role Simulation: 1 (Administrator user ID)
- Crawler -> Summary -> Activate: Disable all except Administrator
To mitigate this threat, LiteSpeed’s latest patch eradicates the role simulation feature and incorporates a random value generator for hash creation, enhancing security beyond the previous limitation of 1 million possible hashes.
“This incident underlines the critical necessity of utilizing robust and unpredictable values in the generation of security hashes or nonces,” Muhammad noted. “While PHP functions like rand()
and mt_rand()
may be suitable for general use, they lack the unpredictability essential for security-critical applications, particularly if mt_srand
is utilized within constrained parameters.”
CVE-2024-50550 marks the third vulnerability disclosed within LiteSpeed Cache in the past two months. The two preceding vulnerabilities, CVE-2024-44000 (CVSS 7.5) and CVE-2024-47374 (CVSS 7.2), underscore a series of recent security concerns.
This development follows Patchstack’s recent disclosure of severe flaws in Ultimate Membership Pro, which could enable privilege escalation and code execution. The issues, since patched in version 12.8, included:
- CVE-2024-43240 (CVSS score: 9.4): An unauthenticated privilege escalation vulnerability, allowing attackers to gain unauthorized membership levels and roles.
- CVE-2024-43242 (CVSS score: 9.0): An unauthenticated PHP object injection flaw, capable of permitting arbitrary code execution.
Patchstack also warns that ongoing legal disputes between Automattic, the parent entity of WordPress, and WP Engine may lead some developers to depart from the WordPress.org repository. This situation could necessitate that users stay vigilant, monitoring relevant channels for timely updates on plugin security and availability.
“Websites relying on plugins removed from the WordPress.org repository may miss crucial security updates, exposing themselves to vulnerabilities that hackers often exploit,” remarked Oliver Sild, Patchstack CEO. “Those who overlook manual updates could unknowingly leave their websites open to malicious actors taking advantage of these gaps.”