A serious security flaw has been discovered in the LiteSpeed Cache plugin for WordPress that could allow unauthenticated threat actors to elevate their privileges and perform malicious actions.
The vulnerability, tracked as CVE-2024-50550 (CVSS score: 8.1), was fixed in version 6.5.2 of the plugin.
“The plugin suffers from unauthenticated privilege escalation, which allows any unauthenticated visitor to gain administrator-level access, allowing malicious plugins to be downloaded and installed,” Patchstack security researcher Rafi Muhammad. said in the analysis.
LiteSpeed Cache is a popular site acceleration plugin for WordPress that, as the name suggests, comes with advanced caching and optimization features. this installed on more than six million sites.
The newly discovered issue, according to Patchstack, is rooted in a feature called is_role_simulation and is similar to an earlier flaw that was publicly documented in August 2024 (CVE-2024-28000CVSS score: 9.8).
This stems from the use of a weak security hash check that can be brute-forced by a bad actor, allowing the scanner functionality to be abused to impersonate a logged-in user, including an administrator.
However, successful operation depends on the following plugin configuration −
- Crawler -> General Settings -> Crawler: ON
- Crawler -> General Settings -> Run Duration: 2500 – 4000
- Crawler View -> General Settings -> Interval Between Runs: 2500 – 4000
- Crawler -> General Settings -> Server Load Limit: 0
- Crawl -> Impersonation Settings -> Impersonate Role: 1 (User ID with Admin Role)
- Crawler -> Summary -> Activate: Disable every line except admin
The patch installed by LiteSpeed removes the role simulation process and updates the hash generation step with a random value generator to avoid limiting hashes to 1 million possibilities.
“This vulnerability highlights the critical importance of ensuring the strength and unpredictability of values used as security hashes, or nonces,” Muhammad said.
“PHP’s rand() and mt_rand() functions return values that may be ‘random enough’ for many use cases, but are not unpredictable enough to be used in security-related functions, especially when mt_srand is used in limited capacity.”
CVE-2024-50550 is the third security flaw discovered in LiteSpeed in the last two months, the other two being CVE-2024-44000 (CVSS score: 7.5) and CVE-2024-47374 (CVSS Score: 7.2).
The development came a few weeks after Patchstack in detail two critical flaws in Ultimate Membership Pro that could lead to privilege escalation and code execution. But the flaws were fixed in version 12.8 and later.
- CVE-2024-43240 (CVSS Score: 9.4) – Unauthenticated elevation of privilege vulnerability could allow an attacker to sign in at any membership level and obtain an attached role
- CVE-2024-43242 (CVSS Score: 9.0) – An unauthenticated PHP object implementation vulnerability could allow an attacker to execute arbitrary code.
Patchstack also warns that the legal drama continues between WordPress parent Automattic and WP Engine has prompted some developers to abandon the WordPress.org repository, requiring users to monitor the appropriate communication channels to ensure they are receiving the most up-to-date information on possible plugin shutdowns and security issues.
“Users who fail to manually install plugins that have been removed from the WordPress.org repository are at risk of not receiving new updates that may include important security fixes,” Patchstack CEO Oliver Seald. said. “This can make websites vulnerable to hackers who typically use known vulnerabilities and can take advantage in these situations.”
