"The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain administrator level access after which malicious plugins could be uploaded and installed," Patchstack security researcher Rafie Muhammad said in an analysis.
"The newly identified issue, per Patchstack, is rooted in a function named is_role_simulation and is similar to an earlier flaw that was publicly documented back in August 2024 (CVE-2024-28000, CVSS score: 9.8)."
"The patch put in place by LiteSpeed removes the role simulation process and updates the hash generation step using a random value generator to avoid limiting the hashes to 1 million possibilities."
Collection
[
|
...
]