A high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could allow an unauthenticated threat actor to elevate their privileges and perform malicious actions.
The vulnerability, tracked as CVE-2024-50550 (CVSS score: 8.1), has been addressed in version 6.5.2 of the plugin.
“The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain administrator level access after which malicious plugins could be uploaded and installed,” Patchstack security researcher Rafie Muhammad said in an analysis.
LiteSpeed Cache is a popular site acceleration plugin for WordPress that, as the name implies, comes with advanced caching functionality and optimization features. It’s installed on over six million sites.
The newly identified issue, per Patchstack, is rooted in a function named is_role_simulation and is similar to an earlier flaw that was publicly documented back in August 2024 (CVE-2024-28000, CVSS score: 9.8).
It stems from the use of a weak security hash check that could be brute-forced by a bad actor, thus allowing for the crawler feature to be abused to simulate a logged-in user, including an administrator.
However, a successful exploitation banks on the following plugin configuration –
- Crawler -> General Settings -> Crawler: ON
- Crawler -> General Settings -> Run Duration: 2500 – 4000
- Crawler -> General Settings -> Interval Between Runs: 2500 – 4000
- Crawler -> General Settings -> Server Load Limit: 0
- Crawler -> Simulation Settings -> Role Simulation: 1 (ID of user with administrator role)
- Crawler -> Summary -> Activate: Turn every row to OFF except Administrator
The patch put in place by LiteSpeed removes the role simulation process and updates the hash generation step using a random value generator to avoid limiting the hashes to 1 million possibilities.
“This vulnerability highlights the critical importance of ensuring the strength and unpredictability of values that are used as security hashes or nonces,” Muhammad said.
“The rand() and mt_rand() functions in PHP return values that may be ‘random enough’ for many use cases, but they are not unpredictable enough to be used in security-related features, especially if mt_srand is used in a limited possibility.”
CVE-2024-50550 is the third security flaw to be disclosed in LiteSpeed within the last two months, the other two being CVE-2024-44000 (CVSS score: 7.5) and CVE-2024-47374 (CVSS score: 7.2).
The development comes weeks after Patchstack detailed two critical flaws in Ultimate Membership Pro that could result in privilege escalation and code execution. But the shortcomings have been addressed in version 12.8 and later.
- CVE-2024-43240 (CVSS score: 9.4) – An unauthenticated privilege escalation vulnerability that could allow an attacker to register for any membership level and gain the attached role for it
- CVE-2024-43242 (CVSS score: 9.0) – An unauthenticated PHP object injection vulnerability that could allow an attacker to execute arbitrary code.
Patchstack is also warning that the ongoing legal drama between WordPress’ parent Automattic and WP Engine has prompted some developers to abandon the WordPress.org repository, necessitating that users monitor appropriate communication channels to ensure they are receiving the latest information about possible plugin closures and security issues.
“Users who fail to manually install plugins removed from the WordPress.org repository risk not receiving new updates which can include important security fixes,” Patchstack CEO Oliver Sild said. “This can leave websites exposed to hackers who commonly exploit known vulnerabilities and may take advantage over such situations.”
