The LiteSpeed Cache Plugin, widely used to enhance the speed and performance of WordPress websites, recently patched a critical unauthenticated privilege escalation vulnerability (CVE-2024-28000). With over 5 million active installations, this plugin is a critical tool for many WordPress users.
John Blackbourn, a member of the Patchstack Alliance community, reported the vulnerability and was awarded $14,400, marking the highest bounty ever given in WordPress bug bounty history.
Oliver Sild (Patchstack’s CEO) told WPTavern, “LiteSpeed Cache has its mVDP program with Patchstack through which the vulnerability was reported to the Patchstack zero-day program. We work directly with both researchers and plugin developers to ensure vulnerabilities get patched properly before public disclosures.”
Given its severity, researchers have rated it as “Critical,” with a CVSS score of 9.8, and strongly advise updating to at least version 6.4 immediately. Rafie Muhammad’s post has more details on the technical side of the vulnerability and its patch.
The vulnerability stems from the plugin’s user simulation feature, which relies on a weak security hash using known values. This flaw could allow unauthorized visitors to gain Administrator-level access to a site. Patchstack’s Rafie Muhammad confirmed: “We were able to determine that a brute force attack that iterates all 1 million known possible values for the security hash and passes them in the litespeed_hash cookie — even running at a relatively low 3 requests per second — is able to gain access to the site as any given user ID”.
Wordfence explained that the vulnerability is “due to the plugin not properly restricting the role simulation functionality allowing a user to set their current ID to that of an administrator, if they have access to a valid hash which can be found in the debug logs or through brute force. This makes it possible for unauthenticated attackers to spoof their user ID to that of an administrator, and then create a new user account with the administrator role utilizing the /wp-json/wp/v2/users REST API endpoint.” They also cautioned: “We have no doubts that this vulnerability will be actively exploited very soon.”
This vulnerability does not affect Windows-based WordPress instances but poses a risk to those running on other operating systems, such as Linux. “This vulnerability highlights the critical importance of ensuring the strength and unpredictability of values that are used as security hashes or nonces. The rand() and mt_rand() functions in PHP return values that may be “random enough” for many use cases, but they are not unpredictable enough to be used in security-related features.”, Rafie Muhammad added.
Last year, the LiteSpeed Cache plugin patched an XSS vulnerability.
Incidentally, Wordfence launched the WordPress Superhero Challenge last week as part of its ongoing Bug Bounty Program to report critical or high-severity vulnerabilities in plugins or themes with over 5 million active installs, offering a top bounty prize of $31,200.
