A vulnerability in the LiteSpeed Cache plugin for WordPress, which has over 6 million active installations, has been discovered allowing unauthenticated visitors to gain administrator-level access by exploiting a security flaw in the plugin’s role simulation feature. This flaw permitted unauthorized access that could lead to the installation of malicious plugins.
The LiteSpeed Cache plugin is widely used for site optimization and supports popular WordPress plugins like WooCommerce, bbPress and Yoast SEO.
Vulnerability Details and Exploitation Risks
According to the Patchstack team, the identified vulnerability exploits weak security hash checks that could be reproduced under certain configurations set by an administrator, including high run duration settings and load limits in the plugin’s Crawler feature.
The vulnerability, listed as CVE-2024-50550, has raised concerns due to the ease with which hashes can be brute-forced, thereby bypassing key security checks.
Key conditions for reproducing this vulnerability include:
-
Enabling the Crawler feature and setting a run duration between 2500-4000 seconds
-
Setting the server load limit to 0
-
Activating role simulation for users with administrator privileges
Steps to Mitigate the Security Flaw
In response to the vulnerability, the LiteSpeed development team have removed the role simulation feature and strengthened hash generation to prevent unauthorized access attempts.
They also confirmed to Patchstack they plan to further improve security by incorporating more robust random value generators in future updates, aiming to provide better protection against brute-force attacks.
Patchstack advised LiteSpeed Cache users to update to version 6.5.2 or higher to mitigate this issue.
“This vulnerability highlights the critical importance of ensuring the strength and unpredictability of values that are used as security hashes or nonces,” the firm said. “Any feature regarding role simulation or other user simulation should also be protected with proper access control.”
Additionally, administrators should review plugin settings to ensure that configurations like the Crawler run duration and load limits are optimized for security.