LiteSpeed Cache Plugin Vulnerability Poses Significant Risk to WordPress Websites

Avatar
A high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could allow an unauthenticated threat actor to elevate their privileges and perform malicious actions. The vulnerability, tracked as CVE-2024-50550 (CVSS score: 8.1), has been addressed in version 6.5.2 of the plugin. “The plugin suffers from an unauthenticated privilege escalation vulnerability
[[{“value”:”

A high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could allow an unauthenticated threat actor to elevate their privileges and perform malicious actions.

The vulnerability, tracked as CVE-2024-50550 (CVSS score: 8.1), has been addressed in version 6.5.2 of the plugin.

“The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain administrator level access after which malicious plugins could be uploaded and installed,” Patchstack security researcher Rafie Muhammad said in an analysis.

LiteSpeed Cache is a popular site acceleration plugin for WordPress that, as the name implies, comes with advanced caching functionality and optimization features. It’s installed on over six million sites.

The newly identified issue, per Patchstack, is rooted in a function named is_role_simulation and is similar to an earlier flaw that was publicly documented back in August 2024 (CVE-2024-28000, CVSS score: 9.8).

It stems from the use of a weak security hash check that could be brute-forced by a bad actor, thus allowing for the crawler feature to be abused to simulate a logged-in user, including an administrator.

However, a successful exploitation banks on the following plugin configuration –

Crawler -> General Settings -> Crawler: ON
Crawler -> General Settings -> Run Duration: 2500 – 4000
Crawler -> General Settings -> Interval Between Runs: 2500 – 4000
Crawler -> General Settings -> Server Load Limit: 0
Crawler -> Simulation Settings -> Role Simulation: 1 (ID of user with administrator role)
Crawler -> Summary -> Activate: Turn every row to OFF except Administrator

The patch put in place by LiteSpeed removes the role simulation process and updates the hash generation step using a random value generator to avoid limiting the hashes to 1 million possibilities.

“This vulnerability highlights the critical importance of ensuring the strength and unpredictability of values that are used as security hashes or nonces,” Muhammad said.

“The rand() and mt_rand() functions in PHP return values that may be ‘random enough’ for many use cases, but they are not unpredictable enough to be used in security-related features, especially if mt_srand is used in a limited possibility.”

CVE-2024-50550 is the third security flaw to be disclosed in LiteSpeed within the last two months, the other two being CVE-2024-44000 (CVSS score: 7.5) and CVE-2024-47374 (CVSS score: 7.2).

The development comes weeks after Patchstack detailed two critical flaws in Ultimate Membership Pro that could result in privilege escalation and code execution. But the shortcomings have been addressed in version 12.8 and later.

CVE-2024-43240 (CVSS score: 9.4) – An unauthenticated privilege escalation vulnerability that could allow an attacker to register for any membership level and gain the attached role for it
CVE-2024-43242 (CVSS score: 9.0) – An unauthenticated PHP object injection vulnerability that could allow an attacker to execute arbitrary code.

Patchstack is also warning that the ongoing legal drama between WordPress’ parent Automattic and WP Engine has prompted some developers to abandon the WordPress.org repository, necessitating that users monitor appropriate communication channels to ensure they are receiving the latest information about possible plugin closures and security issues.

“Users who fail to manually install plugins removed from the WordPress.org repository risk not receiving new updates which can include important security fixes,” Patchstack CEO Oliver Sild said. “This can leave websites exposed to hackers who commonly exploit known vulnerabilities and may take advantage over such situations.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Previous Post

North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack

Next Post

Enterprise Identity Threat Report 2024: Unveiling Hidden Threats to Corporate Identities

Related Posts

Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining

The infamous cryptojacking group known as TeamTNT appears to be readying for a new large-scale campaign targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties. "The group is currently targeting exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers, using compromised servers and Docker Hub as the infrastructure
Avatar
Read More

THN Cybersecurity Recap: Last Week’s Top Threats and Trends (September 16-22)

Hold on tight, folks, because last week's cybersecurity landscape was a rollercoaster! We witnessed everything from North Korean hackers dangling "dream jobs" to expose a new malware, to a surprising twist in the Apple vs. NSO Group saga. Even the seemingly mundane world of domain names and cloud configurations had its share of drama. Let's dive into the details and see what lessons we can glean
Avatar
Read More

Gamers Tricked Into Downloading Lua-Based Malware via Fake Cheating Script Engines

Users searching for game cheats are being tricked into downloading a Lua-based malware that is capable of establishing persistence on infected systems and delivering additional payloads. "These attacks capitalize on the popularity of Lua gaming engine supplements within the student gamer community," Morphisec researcher Shmuel Uzan said in a new report published today, adding "this malware
Avatar
Read More