High-Severity Flaw in LiteSpeed Cache WordPress Plugin Allows Admin Access to Hackers
October 31, 2024
The LiteSpeed Cache WordPress plugin, employed by over six million websites to enhance speed and user experience, has patched a serious privilege escalation vulnerability in its latest release. This flaw, identified as CVE-2024-50550, originates from a weak hash check within the plugin's 'role simulation' feature. This feature is intended to mimic user roles to assist the crawler in scanning the site from various user levels.
The function 'is_role_simulation()' of this feature executes two primary checks using weak security hash values stored in cookies ('litespeed_hash' and 'litespeed_flash_hash'). However, these hash values are created with limited randomness, making them predictable under specific configurations. For CVE-2024-50550 to be exploitable, certain settings in the crawler must be set.
Rafie Muhammad, a security researcher at Patchstack, explains that although the hash values are 32 characters long, an attacker can predict or brute force them within a set of one million possibilities. If an attacker successfully exploits this flaw, they can simulate an administrator role, allowing them to upload and install arbitrary plugins or malware, access backend databases, edit web pages, among other actions.
The vulnerability was first discovered by a Taiwanese researcher and reported to Patchstack on September 23, 2024. Patchstack then contacted the LiteSpeed team the following day. By October 10, a fully operational Proof of Concept (PoC) demonstrating a realistic exploitation scenario was prepared and shared with LiteSpeed for further review. On October 17, LiteSpeed Technologies, the vendor, released a fix for CVE-2024-50550 in version 6.5.2 of the plugin, enhancing the hash value randomness and rendering brute-forcing them virtually unfeasible.
However, according to download statistics from WordPress.org, only about 2 million websites have updated since the patch's release. This leaves an estimated 4 million sites potentially vulnerable to the flaw. This is not the first time LiteSpeed Cache and its users have faced such issues. The plugin has addressed several critical vulnerabilities in the past, including CVE-2023-40000, CVE-2024-28000, and CVE-2024-44000, some of which have been exploited in actual attacks to compromise websites.
Related News
- High-Risk Flaw in WordPress LiteSpeed Cache Plugin Could Lead to Site Takeover
- Critical Vulnerability in LiteSpeed Cache WordPress Plugin Threatens Millions of Websites
- Cybercriminals Target Outdated LiteSpeed Cache Plugin to Gain Control of WordPress Sites
- LiteSpeed Cache Plugin XSS Vulnerability Threatens Millions of WordPress Sites
Latest News
- Enhanced LightSpy Spyware Targets iPhones with Advanced Surveillance and Destructive Features
- Google Addresses Critical Vulnerability in Chrome Browser
- Persistent Windows Vulnerability Could Leak User Credentials: Zero-Day Exploit Allows NTLM Hash Theft
- Unofficial Patches Released for New Windows Themes Zero-Day Exploit
- Multiple Security Flaws Uncovered in Open-Source AI and ML Models
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.