LiteSpeed Blog / Products / LSCache / Crawler Patch for WordPress Cache Plugin

Crawler Patch for WordPress Cache Plugin

October 29th, 2024 by Featured Posts , LSCache , Security 2 Comments

We have a new patch to announce. Recently we were made aware of a vulnerability in the LiteSpeed Cache for WordPress plugin. We patched this vulnerability in v6.5.2.

To protect your WordPress sites, please update to the latest version of the LSCache plugin immediately.

This broken authentication vulnerability, reported by the Patchstack team, has been assigned CVE-2024-50550.

Impact

This vulnerability only affects those who have a very specific Crawler configuration:

  • Crawler must be ON
  • Run Duration and Interval Between Runs should both be large numbers, for example 3000
  • Server Load Limit should be 0
  • Role Simulation should be 1 (or any other userid with Administrator privileges)
  • All crawlers should be turned off, except for the Administrator crawler

With all of these settings in place, the vulnerability may be exploited.

This is a configuration that is unlikely to be used under real world conditions, and as such, we don’t expect too many sites to be impacted.

In particular, it is highly unusual to set the Server Load Limit to 0, because that means that the crawler won’t run at all, and it is required for Server Load Limit to be 0 to reproduce the issue.

Actions

We recommend that every site upgrade to the plugin version 6.5.2 or higher to patch this vulnerability. Additionally, we suggest that you check your site’s user list for any accounts with administrator privileges and delete any accounts that you don’t recognize.

Version 6.5.2 temporarily removes the Role Simulation functionality, and eliminates the mt_srand function which was used for random hash generation. We understand that some users do rely on the Role Simulation functionality, so we plan to reinstate it once we can be sure it won’t leave your sites vulnerable.

Timeline

  • September 24, 2024: Patchstack alerted us to the issue.
  • October 17, 2024: We patched the issue and released v6.5.2 to the WordPress repository
  • October 29, 2024: We added v6.5.2 to the list of stable releases in our control panel plugins

Conclusion

We thank Patchstack for bringing this issue to our attention. This vulnerability has been patched, so if you are keeping your LiteSpeed Cache plugin up-to-date, there is nothing you need to do. If you have not updated in a while, please do so today.

Tags:
Categories:Featured Posts , LSCache , Security

Related Posts

Comments