Highest-ever Bounty Paid for Exposing Critical Vulnerability in LiteSpeed Cache Plugin

  • News

The popular LiteSpeed Cache plugin, with over 5 million active installations, has patched a critical unauthenticated privilege escalation vulnerability. Researchers have rated it as “Critical,” with a CVSS score of 9.8, and strongly advise updating to at least version 6.4 immediately.

John Blackbourn, a member of the Patchstack Alliance community, disclosed the vulnerability through the Patchstack Zero Day bug bounty program for WordPress and was awarded the highest bounty in the history of WordPress bug bounty – $14,400. 

The Vulnerability

LiteSpeed Cache includes a crawler feature that crawls your site on a schedule to pre-populate the caches for pages on your site. Unfortunately, this security hash generation suffers from several problems that make its possible values known. 

Ptchstack confirmed that this security hash is weak, opening a vulnerability that will lead to the wp_set_current_user function call. The plugin also has a further weakness that allows the security hash value to be generated and saved even when the crawler feature is disabled. This means all sites using LiteSpeed Cache—not just those with its crawler feature enabled—are vulnerable.

Unauthorized visitors can gain Administrator-level access to a site and take over it by exploiting these flaws. Wordfence, which launched the WordPress Superhero Challenge last week targeting vulnerabilities in plugins or themes with over 5 million active installs with a top bounty prize of $31,200, cautioned: “We have no doubts that this vulnerability will be actively exploited very soon.” The vulnerability affects plugin versions up to, and including, 6.3.0.1.

Rafie Muhammad’s post has more details on the technical side of the vulnerability and its patch.

The WP Week Newsletter

A weekly newsletter covering updates from the WordPress ecosystem that are relevant and helpful for WordPress agencies, developers, and enthusiasts

Leave your comment

Your email address will not be published. Required fields are marked *