A significant security flaw has been uncovered in the LiteSpeed Cache plugin, used by over 6 million WordPress sites, which could allow unauthorized visitors to gain administrator-level access. The vulnerability stems from a weakness in the plugin’s role simulation feature, making it possible for attackers to bypass security and install harmful plugins.
The LiteSpeed Cache plugin, popular for site performance enhancements, is compatible with widely-used WordPress plugins like WooCommerce, bbPress, and Yoast SEO.
According to cybersecurity firm Patchstack, this vulnerability results from weak hash checks, which can be exploited under certain administrator-defined configurations. The issue is particularly pronounced when high run durations and minimal load limits are applied within the plugin’s Crawler feature.
Listed as CVE-2024-50550, the vulnerability is concerning due to its susceptibility to brute-force attacks, enabling attackers to bypass essential security mechanisms.
Specific configurations that make this vulnerability more likely include:
- Enabling the Crawler feature with run durations between 2500-4000 seconds
- Setting the server load limit to 0
- Activating role simulation for administrator-level users
- Recommended Actions to Mitigate the Risk
- In response, Lit
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from CySecurity News – Latest Information Security and Hacking IncidentsRead the original article: