LiteSpeed Cache WordPress plugin bug lets hackers get admin access

The free version of the popular WordPress plugin LiteSpeed Cache has fixed a dangerous privilege elevation flaw on its latest release that could allow unauthenticated site visitors to gain admin rights.

LiteSpeed Cache is a caching plugin used by over six million WordPress sites, helping to speed up and improve user browsing experience.

The newly discovered high-severity flaw tracked as CVE-2024-50550 is caused by a weak hash check in the plugin's "role simulation" feature, designed to simulate user roles to aid the crawler in site scans from different user levels.

The feature's function ('is_role_simulation()') performs two primary checks using weak security hash values stored in cookies ('litespeed_hash' and 'litespeed_flash_hash').

However, these hashes are generated with limited randomness, making them predictable under certain configurations.

Specifically, for CVE-2024-50550 to be exploitable, the following settings in the crawler need to be configured:

1. Run duration and intervals set between 2,500 and 4,000 seconds.
2. The server load limit is set to 0.
3. Role simulation is set to administrator.

Patchstack's security researcher Rafie Muhammad explains in his writeup that despite the hash values being 32 characters long, an attacker can predict/brute force them within a set of one million possibilities.

An attacker who successfully exploits this flaw can simulate an administrator role, meaning that they can upload and install arbitrary plugins or malware, access backend databases, edit web pages, and more.

The flaw was discovered by a Taiwanese researcher and reported to Patchstack on September 23, 2024, who contacted the LiteSpeed team the following day.

A fully working PoC presenting a realistic exploitation scenario was ready by October 10 and shared with LiteSpeed for additional consideration.

On October 17, the vendor, LiteSpeed Technologies, released a fix for CVE-2024-50550 in version 6.5.2 of the plugin, improving the hash value randomness and making brute-forcing them practically infeasible.

Based on WordPress.org download stats, roughly 2 million websites have upgraded since the release of the patch, which, in the best-case scenario, still leaves 4 million sites exposed to the flaw.

LiteSpeed's security headaches

This year has been quite eventful for LiteSpeed Cache and its users, as the popular plugin has fixed multiple critical flaws, some of which were used in actual attacks to compromise websites.

In May 2024, hackers exploited an outdated version of a plugin with an unauthenticated cross-site scripting flaw (CVE-2023-40000) to create administrator accounts and take over sites.

Later, in August, researchers identified a critical unauthenticated privilege escalation vulnerability (CVE-2024-28000), warning of its ease of exploitation. Within hours of its disclosure, attackers launched mass attacks, with Wordfence blocking nearly 50,000 attempts.

Most recently, in September, the plugin fixed CVE-2024-44000, an unauthenticated admin account takeover bug made possible due to the public exposure of logs containing secrets.