Serious Security Vulnerability Discovered in LiteSpeed Cache Plugin for WordPress
A critical security vulnerability has been identified in the LiteSpeed Cache plugin for WordPress, posing significant risk to websites using the application. The flaw allows unauthenticated attackers to escalate their privileges, potentially granting them administrative access and enabling harmful interventions on affected sites.
Tracked as CVE-2024-50550, this vulnerability has been assigned a CVSS score of 8.1, indicating its high severity. LiteSpeed has remedied the issue in version 6.5.2 of the plugin. According to Rafie Muhammad, a security researcher with Patchstack, the exploit arises from the plugin’s lack of robust authentication checks, permitting any unauthenticated visitor to assume an administrative role and consequently upload and install malicious plugins.
The LiteSpeed Cache plugin is widely recognized within the WordPress community for its advanced caching and optimization features, currently in use across more than six million websites. Patchstack’s analysis points to a problematic function named is_role_simulation, which echoes a previously reported vulnerability documented in August 2024 (CVE-2024-28000, CVSS score: 9.8). This issue is primarily rooted in weak security hash checks that can be readily brute-forced by malicious actors, enabling exploitation of the crawler feature to mimic a logged-in administrator.
For successful exploitation, specific configurations of the plugin must be in place, including settings that facilitate role simulation and crawler activity. The patch enacted by LiteSpeed eliminates the role simulation feature and enhances the hash generation process, utilizing a random value generator to expand potential hash outputs beyond a mere million variations. Muhammad emphasizes the necessity for stronger, unpredictable values in security hashes to mitigate risk.
This is not the first vulnerability affecting the LiteSpeed plugin; it marks the third critical flaw reported in recent months. Two additional vulnerabilities earlier reported, CVE-2024-44000 (CVSS score: 7.5) and CVE-2024-47374 (CVSS score: 7.2), further underscore the critical need for vigilant security practices among WordPress users.
In the wake of these findings, developers are advised to monitor ongoing legal developments involving WordPress parent company Automattic and third-party hosts like WP Engine, as this situation has led some developers to withdraw from the WordPress.org repository. Such withdrawals can hinder users from receiving crucial updates and security patches.
Patchstack’s CEO, Oliver Sild, cautions that failure to manually install plugins removed from the repository may leave websites vulnerable to cyber-attacks exploiting known vulnerabilities. Sild’s statement stresses the importance of staying informed through relevant communication channels regarding plugin status and security issues.
Given the evolving threat landscape, business owners must recognize the importance of maintaining updated security protocols. Understanding tactics outlined in the MITRE ATT&CK framework, such as initial access and privilege escalation, is crucial in developing a comprehensive cybersecurity strategy. The LiteSpeed Cache vulnerability serves as a stark reminder of the vulnerabilities that can be exploited by cyber adversaries, prompting immediate action to secure online assets.
