Login Sign Up

CVE-2024-50550

8.1 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to escalate privileges in LiteSpeed Cache WordPress plugin due to incorrect privilege assignment. Attackers can gain higher-level access than intended, potentially compromising WordPress sites. All WordPress installations using LiteSpeed Cache versions up to 6.5.1 are affected.

💻 Affected Systems

Products:
  • LiteSpeed Cache WordPress Plugin
Versions: n/a through 6.5.1
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects WordPress installations with LiteSpeed Cache plugin enabled.

📦 What is this software?

Litespeed Cache by Litespeedtech

View all CVEs affecting Litespeed Cache →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover where attackers gain administrative access, install backdoors, steal sensitive data, deface websites, or use the site for further attacks.

🟠

Likely Case

Attackers gain elevated privileges to modify content, install malicious plugins/themes, or access sensitive user data.

🟢

If Mitigated

Limited impact with proper access controls, monitoring, and network segmentation preventing lateral movement.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires some level of initial access to WordPress, but privilege escalation is straightforward once initial foothold is achieved.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.2 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/litespeed-cache/wordpress-litespeed-cache-plugin-6-5-1-privilege-escalation-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find LiteSpeed Cache and click 'Update Now'. 4. Verify update completes successfully.

🔧 Temporary Workarounds

Disable LiteSpeed Cache Plugin

all

Temporarily disable the vulnerable plugin until patching is possible

wp plugin deactivate litespeed-cache

Restrict User Access

all

Limit user accounts and permissions to minimize attack surface

🧯 If You Can't Patch

  • Implement strict access controls and principle of least privilege for all WordPress user accounts
  • Enable comprehensive logging and monitoring for privilege escalation attempts and unusual user activity

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins > LiteSpeed Cache version. If version is 6.5.1 or earlier, you are vulnerable.

Check Version:

wp plugin get litespeed-cache --field=version

Verify Fix Applied:

After updating, verify LiteSpeed Cache version is 6.5.2 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual user privilege changes in WordPress logs
  • Multiple failed login attempts followed by successful privilege escalation
  • Administrative actions from non-admin users

Network Indicators:

  • Unusual outbound connections from WordPress server after privilege escalation

SIEM Query:

source="wordpress" AND (event_type="user_role_change" OR event_type="privilege_escalation")

📊 Metadata

CVE ID: CVE-2024-50550
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-266
Published: October 29, 2024
Last Updated: March 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-50550, you might also want to check these:

CVE-2026-23800 10.0

This vulnerability allows attackers to escalate privileges in Modular DS modular-connector WordPress...

Same vulnerability type (CWE-266)
CVE-2026-23550 10.0

This critical vulnerability in Modular DS allows attackers to escalate privileges due to incorrect p...

Same vulnerability type (CWE-266)
CVE-2025-41115 10.0

A critical vulnerability in Grafana's SCIM provisioning allows malicious SCIM clients to provision u...

Same vulnerability type (CWE-266)