Security Risk Linked to LiteSpeed Cache Plugin Imperils WordPress Sites
An important security issue has been unveiled in the LiteSpeed Cache plugin meant for WordPress systems which could potentially enable an unauthorized attacker to escalate their privileges and execute malevolent activities.
Identified as CVE-2024-50550 (CVSS score: 8.1), the vulnerability has been resolved in version 6.5.2 of the plugin.
“This plugin exhibits an unauthenticated privilege escalation flaw where any unauthenticated visitor can obtain administrator privileges, leading to potential uploads and installations of malicious plugins,” articulated security expert Rafie Muhammad from Patchstack in an analysis.
LiteSpeed Cache functions as a favored website enhancement plugin for WordPress, equipped with advanced caching capabilities and optimization functionalities. It’s utilized on more than six million sites.
The new issue, as documented by Patchstack, is associated with a segment called is_role_simulation and resembles a prior vulnerability disclosed in August 2024 (CVE-2024-28000, CVSS score: 9.8).
The root cause lies in a weak security hash verification mechanism that could be exploited through brute-forcing by a malicious actor, thus permitting the misuse of the crawler functionality to imitate a logged-in user, including an administrator.
However, successful exploitation relies on the subsequent plugin configuration –
- Crawler -> General Settings -> Crawler: ON
- Crawler -> General Settings -> Run Duration: 2500 – 4000
- Crawler -> General Settings -> Interval Between Runs: 2500 – 4000
- Crawler -> General Settings -> Server Load Limit: 0
- Crawler -> Simulation Settings -> Role Simulation: 1 (ID of user with administrator role)
- Crawler -> Summary -> Activate: Turn every row to OFF except Administrator
The fix implemented by LiteSpeed eliminates the role simulation process and enhances the hash generation step by introducing a random value generator to broaden the possibilities of hashes beyond 1 million.
“This vulnerability highlights the essential need to uphold the strength and unpredictability of values used for security hashes or nonces,” as remarked by Muhammad.
“The PHP functions rand() and mt_rand() issue values that may appear ‘random enough’ for various applications but aren’t sufficiently unpredictable for security-related functionalities, particularly when mt_srand is applied in a confined scope.”
CVE-2024-50550 marks the third security loophole exposed in LiteSpeed within the last couple of months, with the other two denoted as CVE-2024-44000 (CVSS score: 7.5) and CVE-2024-47374 (CVSS score: 7.2).
This situation unfolds shortly after Patchstack highlighted two critical flaws in Ultimate Membership Pro, which have been fixed in version 12.8 and beyond, that could result in privilege elevation and code execution.
- CVE-2024-43240 (CVSS score: 9.4) – An unauthorized privilege escalation vulnerability permitting an attacker to enroll in any membership level and acquire the attributed role
- CVE-2024-43242 (CVSS score: 9.0) – An unauthenticated PHP object injection flaw facilitating an attacker to run code arbitrarily.
Moreover, Patchstack cautions about the current legal conflict between Automattic, the parent company of WordPress, and WP Engine, prompting certain developers to withdraw from the WordPress.org repository. This necessitates users to actively track suitable communication channels for the latest updates on potential plugin shutdowns and security concerns.
“Users skipping manual installations for plugins removed from the WordPress.org repository may miss out on critical updates including vital security patches,” elucidated Patchstack CEO Oliver Sild.
About Author
