The free model of the in style WordPress plugin LiteSpeed Cache has fastened a harmful privilege elevation flaw on its newest launch that would enable unauthenticated website guests to achieve admin rights.
LiteSpeed Cache is a caching plugin utilized by over six million WordPress websites, serving to to hurry up and enhance person looking expertise.
The newly found high-severity flaw tracked as CVE-2024-50550 is brought on by a weak hash verify within the plugin’s “role simulation” function, designed to simulate person roles to help the crawler in website scans from completely different person ranges.
The function’s perform (‘is_role_simulation()’) performs two main checks utilizing weak safety hash values saved in cookies (‘litespeed_hash’ and ‘litespeed_flash_hash’).
Nevertheless, these hashes are generated with restricted randomness, making them predictable beneath sure configurations.
Particularly, for CVE-2024-50550 to be exploitable, the next settings within the crawler should be configured:
- Run length and intervals set between 2,500 and 4,000 seconds.
- The server load restrict is ready to 0.
- Position simulation is ready to administrator.
Patchstack’s safety researcher Rafie Muhammad explains in his writeup that regardless of the hash values being 32 characters lengthy, an attacker can predict/brute pressure them inside a set of 1 million potentialities.
An attacker who efficiently exploits this flaw can simulate an administrator position, that means that they will add and set up arbitrary plugins or malware, entry backend databases, edit internet pages, and extra.
The flaw was found by a Taiwanese researcher and reported to Patchstack on September 23, 2024, who contacted the LiteSpeed workforce the next day.
A completely working PoC presenting a sensible exploitation situation was prepared by October 10 and shared with LiteSpeed for extra consideration.
On October 17, the seller, LiteSpeed Applied sciences, launched a repair for CVE-2024-50550 in model 6.5.2 of the plugin, enhancing the hash worth randomness and making brute-forcing them virtually infeasible.
Primarily based on WordPress.org obtain stats, roughly 2 million web sites have upgraded because the launch of the patch, which, within the best-case situation, nonetheless leaves 4 million websites uncovered to the flaw.
LiteSpeed’s safety complications
This 12 months has been fairly eventful for LiteSpeed Cache and its customers, as the favored plugin has fastened a number of vital flaws, a few of which have been utilized in precise assaults to compromise web sites.
In Could 2024, hackers exploited an outdated model of a plugin with an unauthenticated cross-site scripting flaw (CVE-2023-40000) to create administrator accounts and take over websites.
Later, in August, researchers recognized a vital unauthenticated privilege escalation vulnerability (CVE-2024-28000), warning of its ease of exploitation. Inside hours of its disclosure, attackers launched mass assaults, with Wordfence blocking almost 50,000 makes an attempt.
Most lately, in September, the plugin fastened CVE-2024-44000, an unauthenticated admin account takeover bug made doable as a result of public publicity of logs containing secrets and techniques.