Vulnerability Management, Threat Intelligence

Serious WordPress compromise likely with LiteSpeed Cache plugin bug

Share
Today’s columnist, Sebastian Gierlinger of Storyblok, offers nine tips for integrating a content management system with an ecommerce platform. (Credit: Getty Images Stock Photo)

Threat actors could exploit the now-addressed high-severity unauthenticated privilege escalation flaw in the LiteSpeed Cache plugin for WordPress, tracked as CVE-2024-50550, to facilitate privilege escalation and other malicious activities, according to The Hacker News.

Such a vulnerability, which arises from an insufficient security hash check vulnerable to brute-forcing, could be successfully abused with the activation of certain configurations within the plugin's crawler feature, a report from Patchstack showed. "This vulnerability highlights the critical importance of ensuring the strength and unpredictability of values that are used as security hashes or nonces. The rand() and mt_rand() functions in PHP return values that may be 'random enough' for many use cases, but they are not unpredictable enough to be used in security-related features, especially if mt_srand is used in a limited possibility," said researcher Rafie Muhammad. LiteSpeed, which is used across more than six million websites, was previously reported to be impacted by the high-severity bugs CVE-2024-44000 and CVE-2024-47374.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.