A high-severity safety flaw has been disclosed within the LiteSpeed Cache plugin for WordPress that might enable an unauthenticated menace actor to raise their privileges and carry out malicious actions.
The vulnerability, tracked as CVE-2024-50550 (CVSS rating: 8.1), has been addressed in model 6.5.2 of the plugin.
“The plugin suffers from an unauthenticated privilege escalation vulnerability which permits any unauthenticated customer to achieve administrator stage entry after which malicious plugins could possibly be uploaded and put in,” Patchstack safety researcher Rafie Muhammad mentioned in an evaluation.
LiteSpeed Cache is a well-liked web site acceleration plugin for WordPress that, because the title implies, comes with superior caching performance and optimization options. It is put in on over six million websites.
The newly recognized concern, per Patchstack, is rooted in a perform named is_role_simulation and is much like an earlier flaw that was publicly documented again in August 2024 (CVE-2024-28000, CVSS rating: 9.8).
It stems from the usage of a weak safety hash verify that could possibly be brute-forced by a foul actor, thus permitting for the crawler function to be abused to simulate a logged-in person, together with an administrator.
Nonetheless, a profitable exploitation banks on the next plugin configuration –
- Crawler -> Basic Settings -> Crawler: ON
- Crawler -> Basic Settings -> Run Period: 2500 – 4000
- Crawler -> Basic Settings -> Interval Between Runs: 2500 – 4000
- Crawler -> Basic Settings -> Server Load Restrict: 0
- Crawler -> Simulation Settings -> Position Simulation: 1 (ID of person with administrator position)
- Crawler -> Abstract -> Activate: Flip each row to OFF besides Administrator
The patch put in place by LiteSpeed removes the position simulation course of and updates the hash technology step utilizing a random worth generator to keep away from limiting the hashes to 1 million potentialities.
“This vulnerability highlights the important significance of making certain the energy and unpredictability of values which might be used as safety hashes or nonces,” Muhammad mentioned.
“The rand() and mt_rand() features in PHP return values that could be ‘random sufficient’ for a lot of use circumstances, however they don’t seem to be unpredictable sufficient for use in security-related options, particularly if mt_srand is utilized in a restricted chance.”
CVE-2024-50550 is the third safety flaw to be disclosed in LiteSpeed inside the final two months, the opposite two being CVE-2024-44000 (CVSS rating: 7.5) and CVE-2024-47374 (CVSS rating: 7.2).
The event comes weeks after Patchstack detailed two important flaws in Final Membership Professional that might end in privilege escalation and code execution. However the shortcomings have been addressed in model 12.8 and later.
- CVE-2024-43240 (CVSS rating: 9.4) – An unauthenticated privilege escalation vulnerability that might enable an attacker to register for any membership stage and achieve the connected position for it
- CVE-2024-43242 (CVSS rating: 9.0) – An unauthenticated PHP object injection vulnerability that might enable an attacker to execute arbitrary code.
Patchstack can be warning that the continuing authorized drama between WordPress’ guardian Automattic and WP Engine has prompted some builders to desert the WordPress.org repository, necessitating that customers monitor applicable communication channels to make sure they’re receiving the newest details about doable plugin closures and safety points.
“Customers who fail to manually set up plugins faraway from the WordPress.org repository threat not receiving new updates which might embody necessary safety fixes,” Patchstack CEO Oliver Sild mentioned. “This will depart web sites uncovered to hackers who generally exploit identified vulnerabilities and should take benefit over such conditions.”
