Security researcher has identified a vulnerability in the LiteSpeed Cache plugin that could compromise WordPress sites with its unauthenticated privilege escalation capabilities.
The vulnerability tracked as CVE-2024-50550 with a CVSS score of 8.1 lies within the user simulation feature in the plugin, that utilizes a weak security hash check that uses known values. Upon bypassing this check, malicious plugins can be activated on the compromised site.
The vulnerability revolve around LiteSpeed Cache’s is_role_simulation() function used in the plugin’s crawler feature. While there is an initial Flash Hash check with a strict 120-second hash generation window to prevent mass brute-forcing, “the second check on $_COOKIE[‘litespeed_hash’]” can be manipulated by adjusting the Crawler’s settings. However, by configuring the “Crawler’s Run Duration to a high but realistic value such as 2500-4000 seconds,” the exploit becomes viable for attackers.
To exploit this vulnerability, the plugin’s Crawler settings need to be configured as follows:
- Crawler->General Settings->Crawler: ON
- Crawler->General Settings->Run Duration: 2500 – 4000
- Crawler->General Settings->Interval Between Runs: 2500 – 4000
- Crawler->General Settings->Server Load Limit: 0
- Crawler->Simulation Settings->Role Simulation: 1 (ID of user with Administrator role)
- Crawler->Summary->Activate: Turn every row to OFF except Administrator
This bug was address in the LiteSpeed Cache version 6.5.2. Site administrators are urged to update immediately to avoid exploitation.
This research was done by the researcher Rafie Muhammad and for more information refer to the blog
