Incorrect Privilege Assignment Vulnerability in LiteSpeed Cache Allows Privilege Escalation
CVE-2024-50550

9.8CRITICAL

Key Information:

Vendor

LiteSpeed Technologies

Status
Litespeed Cache
Vendor
CVE Published:
29 October 2024

Badges

šŸ‘¾ Exploit ExistsšŸ“° News Worthy

What is CVE-2024-50550?

A critical vulnerability has been discovered in the LiteSpeed Cache WordPress plugin, which was exploited to allow unauthenticated visitors to gain admin rights on affected sites. The flaw is caused by a weak hash check in the plugin's "role simulation" feature, enabling attackers to predict and brute force the hash values. Once exploited, attackers can simulate an administrator role, giving them the ability to upload malware, access databases, and edit web pages. Additionally, LiteSpeed Technologies has faced multiple security flaws in their plugin this year, some of which have been used in actual attacks to compromise websites. A fix for CVE-2024-50550 has been released in version 6.5.2 of the plugin, but a large number of sites are still exposed to this vulnerability.

News Articles

favicon imageBleepingComputer

LiteSpeed Cache WordPress plugin bug lets hackers get admin access

TheĀ free version of theĀ popular WordPress plugin LiteSpeed Cache has fixed a dangerous privilege elevation flaw on its latest release that could allow unauthenticated siteĀ visitors to gain admin rights.

References

https://patchstack.com/database/vulnerability/litespeed-c...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • šŸ‘¾

    Exploit known to exist

  • šŸ“°

    First article discovered by BleepingComputer

  • Vulnerability published

JSON
.