Critical LiteSpeed Cache Plugin Vulnerability Exposes Millions of WordPress Sites

A significant security vulnerability has been uncovered in the LiteSpeed Cache plugin for WordPress, which could enable unauthorized attackers to elevate their privileges and execute malicious actions. This vulnerability, identified as CVE-2024-50550, carries a high Common Vulnerability Scoring System (CVSS) score of 8.1 and affects a plugin that is utilized on more than six million websites worldwide. A patch has been released in version 6.5.2 to address this issue.

According to Patchstack security researcher Rafie Muhammad, the vulnerability allows unauthenticated users to gain administrator-level access through a flaw in the plugin’s privileges system. This access could potentially allow malicious actors to upload and install harmful plugins on compromised sites. The vulnerability originates from a function named ‘is_role_simulation’ and is reminiscent of another serious issue disclosed in August 2024 (CVE-2024-28000), which had a CVSS score of 9.8.

The root of this security gap lies in a weak security hash check that can be easily brute-forced by malicious entities. Such exploitation could abuse the plugin’s crawler feature, allowing attackers to simulate the presence of a logged-in user, including an administrator.

In response, LiteSpeed has removed the flawed role simulation process and implemented a stronger hash generation process. It now utilizes a random value generator to expand the potential output of hashes significantly beyond one million possibilities. Muhammad emphasized the necessity of robust and unpredictable security hashes in his analysis. He noted that common PHP functions like `rand()` and `mt_rand()` may not produce suitable randomness for security applications, especially when not handled properly.

This revelation marks the third security vulnerability reported in the LiteSpeed Cache plugin within the past two months alone, following CVE-2024-44000 and CVE-2024-47374, which had CVSS scores of 7.5 and 7.2 respectively. The frequency of these vulnerabilities raises substantial concerns about the security posture of the plugin.

This announcement comes on the heels of Patchstack revealing critical vulnerabilities in the Ultimate Membership Pro plugin, which could lead to privilege escalation and code execution. Fortunately, those flaws have been addressed in updates following version 12.8.

Furthermore, the ongoing legal disputes between Automattic, the parent company of WordPress, and WP Engine have led to anxieties among developers, prompting some to withdraw their plugins from the WordPress.org repository. This upheaval stresses the importance for users to stay informed through appropriate channels about potential plugin removals and security concerns.

Patchstack CEO Oliver Sild cautioned that without manual updates for plugins removed from the WordPress repository, users risk missing vital security patches that could leave their sites vulnerable. Hackers are known to exploit existing vulnerabilities, and it is crucial for website owners to remain vigilant in protecting their platforms from potential threats.

As the tech community continues to grapple with these pressing security challenges, users are encouraged to take proactive measures to secure their sites. Awareness and timely updates are critical defenses against the constantly evolving landscape of cybersecurity threats. Stay informed to mitigate risks and ensure the integrity of your WordPress website.