Cybersecurity researchers have uncovered a new critical vulnerability in the LiteSpeed Cache plugin for WordPress, which could allow unauthenticated users to take control of arbitrary accounts, including administrator-level accounts. This vulnerability, tracked as CVE-2024-44000 and given a CVSS score of 7.5, impacts versions before and including 6.4.1. It has been addressed in the latest version, 6.5.0.1.
According to Patchstack researcher Rafie Muhammad, "The plugin suffers from an unauthenticated account takeover vulnerability, which allows any unauthenticated visitor to gain authentication access to any logged-in users, and at worst, gain access to an Administrator-level role, enabling malicious plugins to be uploaded and installed."
Details of the Vulnerability
This flaw was discovered following a detailed security analysis of LiteSpeed Cache, which previously revealed a critical privilege escalation flaw (CVE-2024-28000, CVSS score: 9.8). LiteSpeed Cache is one of the most popular caching plugins for WordPress, with over 5 million active installations.
The vulnerability stems from the exposure of a debug log file, located at "/wp-content/debug.log," which can potentially leak sensitive information such as user cookies from HTTP response headers. This can enable an attacker to log in as any user with an active session.
The flaw's severity is mitigated by the requirement that the WordPress site's debug feature must be enabled for it to be exploited. However, it can also affect sites where the debug log feature was previously enabled but not cleaned up properly.
Security Patch and Recommendations
The latest patch relocates the debug log file to a dedicated folder within the LiteSpeed plugin directory ("/wp-content/litespeed/debug/"), randomizes the filenames, and disables cookie logging.
Administrators are advised to check their installations for any existing "/wp-content/debug.log" files and purge them if debugging was enabled. Additionally, it's recommended to set .htaccess rules to block direct access to log files, as malicious actors could still attempt to guess filenames using a trial-and-error method.
"This vulnerability highlights the critical importance of securing the debug log process, controlling what data gets logged, and properly managing log files," Muhammad emphasized.
