Record Bounty Awarded as Critical Privilege Escalation Vulnerability Patched in LiteSpeed Cache Plugin – WP Tavern
The LiteSpeed Cache Plugin, extensively used to boost the pace and efficiency of WordPress web sites, not too long ago patched a essential unauthenticated privilege escalation vulnerability (CVE-2024-28000). With over 5 million energetic installations, this plugin is a essential device for a lot of WordPress customers.
John Blackbourn, a member of the Patchstack Alliance group, reported the vulnerability and was awarded $14,400, marking the best bounty ever given in WordPress bug bounty historical past.
Oliver Sild (Patchstack’s CEO) advised WPTavern, “LiteSpeed Cache has its mVDP program with Patchstack via which the vulnerability was reported to the Patchstack zero-day program. We work immediately with each researchers and plugin builders to make sure vulnerabilities get patched correctly earlier than public disclosures.”
Given its severity, researchers have rated it as “Vital,” with a CVSS rating of 9.8, and strongly advise updating to at the least model 6.4 instantly. Rafie Muhammad’s post has extra particulars on the technical aspect of the vulnerability and its patch.
The vulnerability stems from the plugin’s consumer simulation characteristic, which depends on a weak safety hash utilizing identified values. This flaw may enable unauthorized guests to realize Administrator-level entry to a web site. Patchstack’s Rafie Muhammad confirmed: “We had been capable of decide {that a} brute drive assault that iterates all 1 million identified doable values for the safety hash and passes them within the litespeed_hash cookie — even operating at a comparatively low 3 requests per second — is ready to achieve entry to the location as any given consumer ID”.
Wordfence defined that the vulnerability is “because of the plugin not correctly limiting the function simulation performance permitting a consumer to set their present ID to that of an administrator, if they’ve entry to a legitimate hash which might be discovered within the debug logs or via brute drive. This makes it doable for unauthenticated attackers to spoof their consumer ID to that of an administrator, after which create a brand new consumer account with the administrator function using the /wp-json/wp/v2/customers REST API endpoint.” Additionally they cautioned: “We’ve no doubts that this vulnerability might be actively exploited very quickly.”
This vulnerability doesn’t have an effect on Home windows-based WordPress cases however poses a threat to these operating on different working techniques, reminiscent of Linux. “This vulnerability highlights the essential significance of making certain the energy and unpredictability of values which are used as safety hashes or nonces. The rand() and mt_rand() features in PHP return values which may be “random sufficient” for a lot of use instances, however they aren’t unpredictable sufficient for use in security-related options.”, Rafie Muhammad added.
Final 12 months, the LiteSpeed Cache plugin patched an XSS vulnerability.
By the way, Wordfence launched the WordPress Superhero Challenge final week as a part of its ongoing Bug Bounty Program to report essential or high-severity vulnerabilities in plugins or themes with over 5 million energetic installs, providing a high bounty prize of $31,200.