Cybersecurity researchers have identified a severe vulnerability in WordPress’s LiteSpeed Cache plugin that could allow unauthenticated users to gain control of arbitrary accounts. This vulnerability, known as CVE-2024-44000, has been assigned a CVSS score of 7.5 and affects all versions up to and including 6.4.1. The issue has been resolved in the latest update, version 6.5.0.1.
Rafie Muhammad from Patchstack explained that the vulnerability arises from the plugin’s unauthenticated account takeover flaw. This means that any visitor without authentication could potentially gain access to the accounts of logged-in users, including those with administrator privileges. If exploited, this could allow attackers to upload and install malicious plugins.
This critical flaw follows the recent discovery of another serious issue in the plugin, CVE-2024-28000, which had a CVSS score of 9.8. LiteSpeed Cache, a widely used caching plugin with over 5 million active installations, was found to have a debug log file named “/wp-content/debug.log” that was publicly accessible. This exposed potentially sensitive information, including user cookies within HTTP response headers, enabling unauthorized login to the site with any active session.
The severity of the issue is mitigated by the fact that the debug feature must be enabled for the vulnerability to be exploited. Sites that had previously enabled debug logging but failed to remove the log file are also at risk. By default, the debug feature is disabled, but if it was enabled at any time, it’s crucial to address this vulnerability.
The update addresses the issue by relocating the debug log file to a secure folder within the LiteSpeed plugin directory (“/wp-content/litespeed/debug/”), randomizing filenames, and removing the option to log cookies. Users are advised to check for the presence of the “/wp-content/debug.log” file and delete it if the debug feature was previously enabled.
Additionally, it’s recommended to configure an .htaccess rule to prevent direct access to log files, as attackers might still find a way to access the new log file through a trial-and-error method if they know the filename.
Get exclusive access to all things tech-savvy, and be the first to receive
the latest updates directly in your inbox.
“This incident underscores the critical need for securing debug log processes, managing logged data appropriately, and handling log file access,” Muhammad added.
