A high-severity safety flaw has been disclosed within the LiteSpeed Cache plugin for WordPress that would permit an unauthenticated risk actor to raise their privileges and carry out malicious actions.
The vulnerability, tracked as CVE-2024-50550 (CVSS rating: 8.1), has been addressed in model 6.5.2 of the plugin.
“The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain administrator level access after which malicious plugins could be uploaded and installed,” Patchstack safety researcher Rafie Muhammad mentioned in an evaluation.
LiteSpeed Cache is a well-liked website acceleration plugin for WordPress that, because the identify implies, comes with superior caching performance and optimization options. It is put in on over six million websites.
The newly recognized subject, per Patchstack, is rooted in a operate named is_role_simulation and is just like an earlier flaw that was publicly documented again in August 2024 (CVE-2024-28000, CVSS rating: 9.8).
It stems from the usage of a weak safety hash test that may very well be brute-forced by a foul actor, thus permitting for the crawler characteristic to be abused to simulate a logged-in consumer, together with an administrator.
Nevertheless, a profitable exploitation banks on the next plugin configuration –
- Crawler -> Common Settings -> Crawler: ON
- Crawler -> Common Settings -> Run Length: 2500 – 4000
- Crawler -> Common Settings -> Interval Between Runs: 2500 – 4000
- Crawler -> Common Settings -> Server Load Restrict: 0
- Crawler -> Simulation Settings -> Position Simulation: 1 (ID of consumer with administrator position)
- Crawler -> Abstract -> Activate: Flip each row to OFF besides Administrator
The patch put in place by LiteSpeed removes the position simulation course of and updates the hash technology step utilizing a random worth generator to keep away from limiting the hashes to 1 million potentialities.
“This vulnerability highlights the critical importance of ensuring the strength and unpredictability of values that are used as security hashes or nonces,” Muhammad mentioned.
“The rand() and mt_rand() functions in PHP return values that may be ‘random enough’ for many use cases, but they are not unpredictable enough to be used in security-related features, especially if mt_srand is used in a limited possibility.”
CVE-2024-50550 is the third safety flaw to be disclosed in LiteSpeed inside the final two months, the opposite two being CVE-2024-44000 (CVSS rating: 7.5) and CVE-2024-47374 (CVSS rating: 7.2).
The event comes weeks after Patchstack detailed two important flaws in Final Membership Professional that would lead to privilege escalation and code execution. However the shortcomings have been addressed in model 12.8 and later.
- CVE-2024-43240 (CVSS rating: 9.4) – An unauthenticated privilege escalation vulnerability that would permit an attacker to register for any membership degree and achieve the hooked up position for it
- CVE-2024-43242 (CVSS rating: 9.0) – An unauthenticated PHP object injection vulnerability that would permit an attacker to execute arbitrary code.
Patchstack can be warning that the ongoing authorized drama between WordPress’ father or mother Automattic and WP Engine has prompted some builders to desert the WordPress.org repository, necessitating that customers monitor applicable communication channels to make sure they’re receiving the most recent details about attainable plugin closures and safety points.
“Users who fail to manually install plugins removed from the WordPress.org repository risk not receiving new updates which can include important security fixes,” Patchstack CEO Oliver Sild mentioned. “This can leave websites exposed to hackers who commonly exploit known vulnerabilities and may take advantage over such situations.”