LiteSpeed Cache, a widely used WordPress plugin with over six million active installs, has patched a critical vulnerability in its latest update that could have allowed unauthenticated visitors to gain administrative access.
This flaw, tracked as CVE-2024-50550, was discovered within the plugin’s “role simulation” feature, which enables simulated user roles for crawling and performance monitoring. The security flaw stemmed from weak hash values in the feature’s checks, making it possible for attackers to predict these hashes under certain configurations and gain high-level access.
To exploit this vulnerability, specific settings in LiteSpeed’s crawler need to be configured: a run interval between 2,500 and 4,000 seconds, a server load limit of 0, and the administrator role selected in role simulation. According to Patchstack’s security researcher Rafie Muhammad, an attacker could predict the 32-character hashes due to their limited randomness, making brute-forcing viable. Once exploited, attackers could simulate administrator rights, granting them the ability to install plugins, deploy malware, access sensitive databases, and alter site content.
The vulnerability was first reported to Patchstack on September 23, 2024, by a researcher in Taiwan. LiteSpeed Technologies released a patch on October 17, version 6.5.2, which bolstered hash security, making brute-force attacks nearly impossible. Since the patch’s release, about 2 million users have updated, leaving an estimated 4 million still vulnerable.
This incident follows a series of LiteSpeed Cache vulnerabilities addressed this year. Previous high-severity flaws, like the CVE-2024-28000 privilege escalation bug in August and the cross-site scripting vulnerability CVE-2023-40000 in May, have led to real-world attacks and compromises. The recent spate of security issues underscores the need for website administrators to keep their plugins updated to prevent exploitation and ensure site security.
