A critical security vulnerability [5] [7], identified as CVE-2024-44000 [1] [3] [5] [7], has been discovered in the LiteSpeed Cache plugin for WordPress [5], affecting versions up to 6.4.1 [2] [6] [7].
Description
This flaw allows unauthorized access to logged-in user accounts, potentially leading to an Administrator role takeover [4]. Attackers can exploit a publicly exposed debug log file to leak HTTP response headers, including the “Set-Cookie” header [4], after a user logs in [4], resulting in unauthorized access to sensitive information like user cookie data. LiteSpeed Cache plugin versions up to 6.4.1 are vulnerable to Sensitive Information Exposure through the publicly exposed debuglog file [2], allowing unauthenticated attackers to view potentially sensitive information [2], such as user cookies, for logging in with valid sessions [2]. The issue has been addressed in version 6.5.0.1 of the plugin, which relocates the log file to a dedicated folder [7], randomizes filenames [6] [7], and eliminates the option to log cookies [6] [7]. It has been reported that over 5 million active installations are at risk, and recommendations include implementing proper htaccess rules and purging old debuglog files to enhance site security. Furthermore, a critical unauthenticated account takeover vulnerability in the LiteSpeed Cache plugin [1], tracked as CVE-2024-44000 [1] [3] [5] [6] [7], could enable attackers with access to the ‘/wp-content/debuglog’ file to compromise over six million WordPress sites. Exploitation of this flaw could result in the exfiltration of users’ session cookies [1], spoofing of admin users [1], and complete website takeover. Admins are advised to remove ‘debuglog’ files containing at-risk session cookies and establish an ‘.htaccess’ rule to prevent direct log file access [1]. Recent attacks targeting vulnerable LiteSpeed Cache instances have exploited critical unauthenticated privilege escalation bug CVE-2024-28000 and unauthenticated cross-site scripting flaw CVE-2023-40000 [1]. Despite a patch being released [3], over 5.5 million sites remain vulnerable [3], increasing the risk of exploitation [3]. Organizations are advised to prioritize applying the patch to prevent potential attacks and safeguard against any downstream impacts to third-party vendors [3].
Conclusion
The critical security vulnerability in the LiteSpeed Cache plugin poses a significant risk to WordPress sites, with millions of installations potentially affected. It is crucial for site administrators to take immediate action by updating to version 6.5.0.1, implementing security measures, and removing at-risk log files to prevent unauthorized access and potential attacks. Failure to address these vulnerabilities could lead to severe consequences, including compromised user data and website takeover. Organizations must prioritize security updates to mitigate risks and protect against future threats.
References
[1] https://www.scmagazine.com/brief/widespread-wordpress-site-takeovers-likely-with-critical-litespeed-cache-bug
[2] https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/litespeed-cache/litespeed-cache-641-unauthenticated-sensitive-information-exposure-via-log-files
[3] https://feedly.com/cve/CVE-2024-44000
[4] https://patchstack.com/articles/critical-account-takeover-vulnerability-patched-in-litespeed-cache-plugin/
[5] https://securityonline.info/cve-2024-44000-cvss-9-8-litespeed-cache-flaw-exposes-millions-of-wordpress-sites-to-takeover-attacks/
[6] https://cyberpanel.net/blog/critical-flaw-in-litespeed-cache-plugin
[7] https://thehackernews.com/2024/09/critical-security-flaw-found-in.html
