WordPress is again vulnerable due to a critical bug in the free version of the popular cache plugin LightSpeed. The vulnerability was recently patched.
According to Patchstack researchers, the cache plugin now contains a bug that enables privilege escalation. This allows hackers to obtain admin privileges and take control of the website.
LightSpeed is a popular WordPress plug-in designed to improve end users’ speed and user experience. The free version is said to be used by about 6 million WordPress websites.
Attack path
The newly discovered critical vulnerability, CVE-2024-50550, is caused by a weak hash check in the plug-in’s “role simulation” feature. This feature simulates user roles so the built-in crawler can scan the site from different user levels.
The vulnerability arises from two standard checks that use weak security hash values stored in two cookies. When generated somewhat randomly, these hashes can be easily predicted in certain configurations. This can happen despite requiring specific settings to do so.
According to Patchstack, despite the 32-character hashes, hackers can predict them or obtain them via a brute force attack, with a set of 1 million possible combinations.
After a successful attack, hackers can assume the administrator role, allowing them to upload and install arbitrary plug-ins or malware to the affected website. They can also access databases in the backend, modify Web pages and more.
Patch now released
LightSpeed released a patch for the vulnerability in version 6.5.2 a few weeks ago. This version improves the randomness of hash values, making brute-forcing virtually impossible.
Meanwhile, about 2 million potentially vulnerable websites would have been patched, meaning that 4 million are still open to a possible attack via CVE-2024-50550.
The well-known WordPress plug-in has been affected by vulnerabilities several times this year. In August, LightSpeed was affected by the critical CVE-2024-28000 vulnerability, which allowed hackers to take full control of an affected website. This vulnerability was discovered through Patchstack’s bounty program.
Also read: Vulnerability in popular WordPress plugin gives hackers full control