A newly discovered critical vulnerability (CVE-2024-44000) in the LiteSpeed Cache plugin, a popular caching tool used by over six million WordPress sites, allows attackers to take over WordPress sites without authentication, posing significant risks to users.
The flaw potentially exposes sensitive user authentication data and stems from the plugin’s practice of recording all HTTP response headers in its logs, including those containing session cookies.
These cookies are critical for user authentication. If an unauthorised party obtained these logged cookies, they could use them to impersonate administrators, thereby gaining illicit control over the WordPress site.
This security risk underscores the importance of carefully handling debug information, especially user authentication mechanisms.
To exploit the flaw, an attacker must access the debug log file stored in the /wp-content/debug.log directory. In cases where access restrictions, such as .htaccess rules, are not in place, an attacker could retrieve the log file by simply visiting a specific URL.
The issue becomes more concerning if the debug logs are kept indefinitely and not wiped regularly, as this could allow threat actors to steal session cookies from previous login events.
Following the discovery of CVE-2024-44000, LiteSpeed Technologies, the vendor behind LiteSpeed Cache, released a patch on September 5, 2024. The update, version 6.5.0.1, addresses the flaw by moving the debug logs to a dedicated folder (/wp-content/litespeed/debug/), randomising log filenames and removing the option to log cookies altogether.
Additionally, the company added a dummy index file to provide an extra layer of protection.
Cyber security experts have urged site administrators to update the LiteSpeed Cache plugin to the latest version and implement an .htaccess rule to deny direct access to log files.
However, as BleepingComputer reports, despite the patch’s release, the scale of this vulnerability remains staggering. With only around 375,000 downloads of the updated version recorded on the day of its release, over 5.6 million WordPress sites may still be vulnerable to attacks.
In the News: Microsoft Bing partners with StopNCII to remove deepfake videos