A newly disclosed high-severity security flaw in the LiteSpeed Cache plugin for WordPress may enable unauthenticated attackers to elevate privileges and carry out malicious actions.
Designated CVE-2024-50550 with a CVSS score of 8.1, the vulnerability has been addressed in version 6.5.2 of the plugin.
According to Patchstack security researcher Rafie Muhammad, “The plugin suffers from an unauthenticated privilege escalation vulnerability that allows any visitor to gain administrator-level access, enabling the upload and installation of malicious plugins.”
LiteSpeed Cache, known for its advanced caching and optimization features, is widely used, with installations on over six million websites.
The vulnerability, as detailed by Patchstack, lies in the is_role_simulation function and mirrors an earlier flaw disclosed in August 2024 (CVE-2024-28000, CVSS 9.8). This issue originates from a weak security hash that can be brute-forced, potentially allowing unauthorized use of the crawler feature to simulate a logged-in user, including administrator access.
Successful exploitation depends on the following plugin settings:
- Crawler -> General Settings -> Crawler: ON
- Crawler -> General Settings -> Run Duration: 2500 – 4000
- Crawler -> General Settings -> Interval Between Runs: 2500 – 4000
- Crawler -> General Settings -> Server Load Limit: 0
- Crawler -> Simulation Settings -> Role Simulation: 1 (administrator role ID)
- Crawler -> Summary -> Activate: Turn all options OFF except Administrator
LiteSpeed’s update removes the role simulation process and implements a random hash generator to avoid predictable hash limits.
“This vulnerability highlights the critical importance of ensuring security hashes or nonces are unpredictable,” Muhammad noted, explaining that functions like rand() and mt_rand() in PHP, while sufficient for many uses, lack the unpredictability required for security features, especially when used with mt_srand.
CVE-2024-50550 is the third LiteSpeed vulnerability disclosed in two months, following CVE-2024-44000 (CVSS 7.5) and CVE-2024-47374 (CVSS 7.2).
This news comes shortly after Patchstack revealed two critical flaws in Ultimate Membership Pro that could result in privilege escalation and code execution, addressed in version 12.8 and later.
- CVE-2024-43240 (CVSS score: 9.4): An unauthenticated privilege escalation flaw allowing attackers to register for any membership level and gain the associated role
- CVE-2024-43242 (CVSS score: 9.0): An unauthenticated PHP object injection vulnerability enabling arbitrary code execution
Patchstack also advises that ongoing legal disputes between Automattic and WP Engine may prompt developers to exit the WordPress.org repository. As a result, users are encouraged to monitor updates to ensure continued access to security patches.
“Users who do not manually update plugins removed from WordPress.org may miss critical security patches, leaving sites vulnerable to exploitation,” said Patchstack CEO Oliver Sild, noting that hackers often capitalize on such situations by targeting unpatched vulnerabilities.
Source: TheHackerNews
