A high-severity security flaw has been revealed in the LiteSpeed Cache plugin for WordPress, exposing users to the risk of unauthorized access and potential malicious actions. This vulnerability, tracked as CVE-2024-50550 with a CVSS score of 8.1, has been resolved in the plugin’s latest release, version 6.5.2.
"The plugin suffers from an unauthenticated privilege escalation vulnerability, enabling any unauthenticated visitor to gain administrator-level access, thereby allowing the installation of harmful plugins," stated Patchstack security researcher Rafie Muhammad.
LiteSpeed Cache, widely used for site acceleration and caching, powers over six million sites globally. Patchstack’s analysis identified the root of the issue in a function called is_role_simulation, which has a similar structure to a previously documented vulnerability from August 2024 (CVE-2024-28000, CVSS score: 9.8). The flaw arises due to a weak security hash check that is susceptible to brute-force attacks, potentially allowing bad actors to simulate an administrator.
For this flaw to be exploited, specific plugin settings must be enabled, including:
- Crawler Settings
- General Settings: Crawler: ON
- Run Duration: 2500–4000
- Interval Between Runs: 2500–4000
- Server Load Limit: 0
- Simulation Settings
- Role Simulation: 1 (ID of the administrator user)
- Summary Settings
- Activate: Turn every row to OFF except Administrator
The recent LiteSpeed patch addresses the issue by eliminating role simulation and replacing the hash generation process with a random value generator, enhancing security. "This vulnerability underscores the importance of using strong, unpredictable values in security hashes," said Muhammad. He further noted that PHP functions rand() and mt_rand()—while suitable for general purposes—do not provide sufficient unpredictability for security-critical operations.
This marks the third security flaw identified in LiteSpeed within two months, following the disclosure of CVE-2024-44000 (CVSS score: 7.5) and CVE-2024-47374 (CVSS score: 7.2). Recently, Patchstack also reported two major flaws in the Ultimate Membership Pro plugin, which were resolved in version 12.8 and higher:
- CVE-2024-43240 (CVSS score: 9.4) - An unauthenticated privilege escalation vulnerability allowing attackers to register for any membership level, gaining the assigned role.
- CVE-2024-43242 (CVSS score: 9.0) - An unauthenticated PHP object injection vulnerability, risking arbitrary code execution.
Patchstack additionally warns of potential security risks due to developer departures from the WordPress.org repository amidst legal issues involving Automattic and WP Engine. Patchstack CEO Oliver Sild emphasized that users need to stay updated, as “failing to manually install plugins removed from WordPress.org can leave websites vulnerable to known threats, especially if critical security fixes are missed.”
