High-Severity Flaw in LiteSpeed Cache WordPress Plugin Allows Admin Access to Hackers

October 31, 2024

The LiteSpeed Cache WordPress plugin, employed by over six million websites to enhance speed and user experience, has patched a serious privilege escalation vulnerability in its latest release. This flaw, identified as CVE-2024-50550, originates from a weak hash check within the plugin's 'role simulation' feature. This feature is intended to mimic user roles to assist the crawler in scanning the site from various user levels.

The function 'is_role_simulation()' of this feature executes two primary checks using weak security hash values stored in cookies ('litespeed_hash' and 'litespeed_flash_hash'). However, these hash values are created with limited randomness, making them predictable under specific configurations. For CVE-2024-50550 to be exploitable, certain settings in the crawler must be set.

Rafie Muhammad, a security researcher at Patchstack, explains that although the hash values are 32 characters long, an attacker can predict or brute force them within a set of one million possibilities. If an attacker successfully exploits this flaw, they can simulate an administrator role, allowing them to upload and install arbitrary plugins or malware, access backend databases, edit web pages, among other actions.

The vulnerability was first discovered by a Taiwanese researcher and reported to Patchstack on September 23, 2024. Patchstack then contacted the LiteSpeed team the following day. By October 10, a fully operational Proof of Concept (PoC) demonstrating a realistic exploitation scenario was prepared and shared with LiteSpeed for further review. On October 17, LiteSpeed Technologies, the vendor, released a fix for CVE-2024-50550 in version 6.5.2 of the plugin, enhancing the hash value randomness and rendering brute-forcing them virtually unfeasible.

However, according to download statistics from WordPress.org, only about 2 million websites have updated since the patch's release. This leaves an estimated 4 million sites potentially vulnerable to the flaw. This is not the first time LiteSpeed Cache and its users have faced such issues. The plugin has addressed several critical vulnerabilities in the past, including CVE-2023-40000, CVE-2024-28000, and CVE-2024-44000, some of which have been exploited in actual attacks to compromise websites.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.