The LiteSpeed Cache WordPress plugin bug allows hackers to gain administrative access

The free version of the popular WordPress plugin LiteSpeed Cache has fixed a dangerous elevation of privilege issue in the latest release that allowed unauthenticated site visitors to gain administrative privileges.

LiteSpeed Cache is a caching plugin used by over six million WordPress sites that helps speed up and improve users’ browsing experience.

The newly discovered, serious error was tracked as CVE-2024-50550 is caused by a weak hash check in the plugin’s “role simulation” feature, designed to simulate user roles to assist the crawler with site scans of different user levels.

The function’s function (‘is_role_simulation()’) performs two primary checks using weak security hash values stored in cookies (‘litespeed_hash’ and ‘litespeed_flash_hash’).

However, these hashes are generated with limited randomness, making them predictable under certain configurations.

In particular, to exploit CVE-2024-50550, the following settings must be configured in the crawler:

Run duration and intervals set between 2,500 and 4,000 seconds.

The server load limit is set to 0.

Role simulation is set to administrator.

Patchstack’s security researcher Rafie Muhammad explains in his writing that even though the hash values are 32 characters long, an attacker can predict/brute force them within a range of a million possibilities.

An attacker who successfully exploits this flaw can simulate an administrator role, meaning they can upload and install arbitrary plugins or malware, access backend databases, edit web pages, and more.

The flaw was discovered by a Taiwanese researcher and reported to Patchstack on September 23, 2024, who contacted the LiteSpeed team the next day.

A fully working PoC presenting a realistic operating scenario was ready on October 10 and was shared with LiteSpeed for further consideration.

On October 17, the vendor, LiteSpeed Technologies, released a fix for CVE-2024-50550 in version 6.5.2 of the plugin, improving the randomness of the hash values and making brute forcing practically infeasible.

Based on Download statistics from WordPress.orgapproximately 2 million websites have been upgraded since the patch’s release, leaving at best 4 million sites still exposed to the flaw.

LiteSpeed’s security issues

This year has been quite eventful for LiteSpeed Cache and its users, as the popular plugin fixed multiple critical flaws, some of which were used in actual attacks to compromise websites.

In May 2024, hackers exploited an outdated version of a plugin with an unverified cross-site scripting flaw (CVE-2023-40000) to create administrator accounts and take over sites.

Later, in August, researchers identified a critical unauthenticated privilege escalation vulnerability (CVE-2024-28000), warning of its ease of exploitation. Within hours of the revelation, attackers massive attacks launchedwith Wordfence blocking almost 50,000 attempts.

Most recently, in September, the plugin fixed CVE-2024-44000a bug in taking over unauthenticated administrator accounts, made possible by the public disclosure of logs containing secrets.