The free version of the popular LiteSpeed ​​Cache WordPress plugin has fixed a dangerous elevation of privilege flaw in its latest version that could allow unauthenticated site visitors to gain administrator rights.

LiteSpeed ​​Cache is a caching plugin used by over six million WordPress sites, helping to speed up and improve the user’s browsing experience.

The newly discovered high-gravity fault is traced as CVE-2024-50550 is caused by a weak hash check in the plugin’s “role simulation” feature, designed to simulate user roles to assist the crawler in site scans from different user levels.

The feature function (‘is_role_simulation()’) performs two main checks using weak security hashes stored in cookies (‘litespeed_hash’ and ‘litespeed_flash_hash’).

However, these hashes are generated with limited randomness, making them predictable in certain settings.

Specifically, for CVE-2024-50550 to be exploitable, the following settings must be configured on the tracker:

1. Duration of execution and intervals set between 2,500 and 4,000 seconds.
2. The server load limit is set to 0.
3. Role simulation is set to administrator.

Rafie Muhammad, Security Researcher at Patchstack explains in his article that even though hash values ​​are 32 characters long, an attacker can predict or brute force them within a set of a million possibilities.

An attacker who successfully exploits this flaw can impersonate an administrator role, meaning they can load and install arbitrary plugins or malware, access backend databases, edit web pages, and more.

The flaw was discovered by a Taiwanese researcher and reported to Patchstack on September 23, 2024, who contacted the LiteSpeed ​​team the next day.

A fully functional PoC presenting a realistic exploitation scenario was ready on October 10 and shared with LiteSpeed ​​for further consideration.

On October 17, vendor LiteSpeed ​​Technologies released a fix for CVE-2024-50550 in version 6.5.2 of the plugin, improving hash value randomness and making brute force virtually infeasible.

based on WordPress.org Download StatisticsApproximately 2 million websites have been updated since the patch was released, which, at best, still leaves 4 million sites exposed to the flaw.

The security headaches of LiteSpeed

This year has been quite eventful for LiteSpeed ​​Cache and its users, as the popular plugin has fixed multiple critical flaws, some of which were used in real attacks to compromise websites.

In May 2024, hackers exploited An outdated version of a plugin with an unauthenticated cross-site scripting flaw (CVE-2023-40000) for creating administrator accounts and controlling sites.

Later, in August, identified researchers a critical unauthenticated privilege escalation vulnerability (CVE-2024-28000), which warns about its ease of exploitation. Within hours of its disclosure, the attackers launched massive attacksand Wordfence blocked almost 50,000 attempts.

More recently, in September, the plugin fixed CVE-2024-44000An unauthenticated administrator account takeover error was possible due to public exposure of logs containing secrets.