Over 6 Million Sites at Risk: Severe Privilege Escalation Flaw CVE-2024-50550 in LiteSpeed Cache Plugin

CVE-2024-50550

Rafie Muhammad, a Security Researcher at Patchstack, reveals a severe security vulnerability in the LiteSpeed Cache plugin—a popular WordPress caching plugin with over six million active installations. Known for its advanced server-level caching and compatibility with plugins like WooCommerce and Yoast SEO, LiteSpeed Cache’s functionality now faces a critical flaw that could compromise WordPress sites worldwide.

The vulnerability, assigned CVE-2024-50550 (CVSS 8.1), is an unauthenticated privilege escalation issue, allowing any unauthenticated visitor to potentially gain Administrator access. According to Muhammad, the vulnerability lies within the “user simulation feature in the plugin,” which “utilizes a weak security hash check that uses known values.” Once an attacker bypasses this check, they can upload and activate malicious plugins on the compromised site.

The vulnerability’s mechanics revolve around LiteSpeed Cache’s is_role_simulation() function used in the plugin’s crawler feature. While there is an initial Flash Hash check with a strict 120-second hash generation window to prevent mass brute-forcing, “the second check on $_COOKIE[‘litespeed_hash’]” can be manipulated by adjusting the Crawler’s settings. Muhammad explains that by configuring the “Crawler’s Run Duration to a high but realistic value such as 2500-4000 seconds,” the exploit becomes viable for attackers.

To exploit this vulnerability, the plugin’s Crawler settings need to be configured as follows:

  • Crawler->General Settings->Crawler: ON
  • Crawler->General Settings->Run Duration: 2500 – 4000
  • Crawler->General Settings->Interval Between Runs: 2500 – 4000
  • Crawler->General Settings->Server Load Limit: 0
  • Crawler->Simulation Settings->Role Simulation: 1 (ID of user with Administrator role)
  • Crawler->Summary->Activate: Turn every row to OFF except Administrator

Muhammad emphasizes the flaw in the hash generation process: “The rrand() function still uses mt_srand((int)((float) microtime() * 1000000)) before the mt_rand() call,” which effectively limits “the generated hash value to 1 million possibilities despite it having 32 random characters.” This limited randomness renders it easier to brute-force, especially when the Crawler is configured with a low load limit.

CVE-2024-50550 was initially reported by Patchstack Alliance member TaiYou and has since been addressed in LiteSpeed Cache version 6.5.2. Site administrators are urged to update immediately to avoid exploitation. Security vulnerabilities in widely-used plugins like LiteSpeed Cache underscore the need for robust configurations and timely patches, as even sophisticated tools can inadvertently open doors for attackers.

Related Posts: