A critical vulnerability has been discovered in LiteSpeed Cache, a popular caching plugin used by over 6 million WordPress websites to enhance user browsing speed. The flaw, tracked as CVE-2024-44000, is classified as an unauthenticated account takeover vulnerability and was discovered by Patchstack’s Rafie Muhammad on August 22, 2024. LiteSpeed Technologies released a patch yesterday with the LiteSpeed Cache version 6.5.0.1.
Debug Feature Vulnerability and Exploitation
The vulnerability stems from the plugin’s debug logging feature, which logs all HTTP response headers, including the “Set-Cookie” header, to a file when enabled. Since session cookies are used for authenticating users, if an attacker gains access to this log file, they can impersonate an admin user and take full control of the affected site.
To exploit this flaw, attackers must access the debug log file located at /wp-content/debug.log. If file access restrictions like .htaccess rules are not in place, attackers can simply enter the correct URL to gain access. This allows them to steal session cookies, even from past login events if logs are not regularly wiped.
Vendor Response and Fixes
LiteSpeed Technologies has addressed this vulnerability by moving the debug log to a dedicated folder (/wp-content/litespeed/debug/), randomizing log filenames, removing the option to log cookies, and adding a dummy index file for enhanced security.
WordPress site administrators using LiteSpeed Cache are urged to update to version 6.5.0.1 immediately to prevent potential exploitation.
