A high-severity safety flaw has been disclosed within the LiteSpeed Cache plugin for WordPress that would permit an unauthenticated danger actor to carry their privileges and carry out malicious movements.
The vulnerability, tracked as CVE-2024-50550 (CVSS rating: 8.1), has been addressed in model 6.5.2 of the plugin.
“The plugin suffers from an unauthenticated privilege escalation vulnerability which permits any unauthenticated customer to achieve administrator degree get right of entry to and then malicious plugins might be uploaded and put in,” Patchstack safety researcher Rafie Muhammad mentioned in an research.
LiteSpeed Cache is a well-liked website online acceleration plugin for WordPress that, because the identify implies, comes with complex caching capability and optimization options. It is put in on over six million websites.
The newly known factor, in step with Patchstack, is rooted in a serve as named is_role_simulation and is very similar to an previous flaw that was once publicly documented again in August 2024 (CVE-2024-28000, CVSS rating: 9.8).
It stems from the usage of a vulnerable safety hash take a look at that may be brute-forced by way of a nasty actor, thus bearing in mind the crawler function to be abused to simulate a logged-in consumer, together with an administrator.
On the other hand, a a hit exploitation banks at the following plugin configuration –
- Crawler -> Normal Settings -> Crawler: ON
- Crawler -> Normal Settings -> Run Period: 2500 – 4000
- Crawler -> Normal Settings -> Period Between Runs: 2500 – 4000
- Crawler -> Normal Settings -> Server Load Restrict: 0
- Crawler -> Simulation Settings -> Function Simulation: 1 (ID of consumer with administrator function)
- Crawler -> Abstract -> Turn on: Flip each and every row to OFF aside from Administrator
The patch installed position by way of LiteSpeed gets rid of the function simulation procedure and updates the hash era step the usage of a random worth generator to keep away from restricting the hashes to one million chances.
“This vulnerability highlights the important significance of making sure the energy and unpredictability of values which are used as safety hashes or nonces,” Muhammad mentioned.
“The rand() and mt_rand() purposes in PHP go back values that can be ‘random sufficient’ for plenty of use circumstances, however they don’t seem to be unpredictable sufficient for use in security-related options, particularly if mt_srand is utilized in a restricted chance.”
CVE-2024-50550 is the 3rd safety flaw to be disclosed in LiteSpeed inside the closing two months, the opposite two being CVE-2024-44000 (CVSS rating: 7.5) and CVE-2024-47374 (CVSS rating: 7.2).
The improvement comes weeks after Patchstack detailed two important flaws in Final Club Professional that would lead to privilege escalation and code execution. However the shortcomings had been addressed in model 12.8 and later.
- CVE-2024-43240 (CVSS rating: 9.4) – An unauthenticated privilege escalation vulnerability that would permit an attacker to check in for any club degree and achieve the hooked up function for it
- CVE-2024-43242 (CVSS rating: 9.0) – An unauthenticated PHP object injection vulnerability that would permit an attacker to execute arbitrary code.
Patchstack could also be caution that the continued criminal drama between WordPress’ dad or mum Automattic and WP Engine has precipitated some builders to desert the WordPress.org repository, necessitating that customers track suitable communique channels to verify they’re receiving the most recent details about imaginable plugin closures and safety problems.
“Customers who fail to manually set up plugins got rid of from the WordPress.org repository possibility now not receiving new updates which is able to come with vital safety fixes,” Patchstack CEO Oliver Sild mentioned. “This may go away web pages uncovered to hackers who often exploit identified vulnerabilities and might take merit over such scenarios.”