Cybersecurity researchers have discovered another critical security flaw in the LiteSpeed Cache plugin for WordPress that could allow unauthenticated users to take control of arbitrary accounts.
The vulnerability, identified as CVE-2024-44000 (CVSS score: 7.5), affects versions up to and including 6.4.1. This was resolved in version 6.5.0.1.
“The plug-in suffers from an unauthenticated account hijacking vulnerability that allows any unauthenticated visitor to gain authentication access to any logged-in user, and in the worst case, gain access to the administrator role, allowing malicious plug-ins to be downloaded and installed” , — Rafi, Patchstack researcher. Muhammad said.
The discovery follows extensive security analysis of the plugin, which previously led to the identification of a critical elevation of privilege flaw (CVE-2024-28000CVSS score: 9.8). LiteSpeed Cache is a popular caching plugin for the WordPress ecosystem with over 5 million active installations.
The new vulnerability is due to the fact that the debug log file named “/wp-content/debug.log” is public, allowing an unauthenticated attacker to view the potentially sensitive information contained in the file.
It can also include user cookie information present in HTTP response headers, effectively allowing users to log into the vulnerable site with any active session.
The less severe flaw is due to the fact that the debugging feature must be enabled on the WordPress site for it to be successful. Alternatively, it may also affect sites that at some point in the past activated the debug log feature but failed to delete the debug file.
It is important to note that this feature is disabled by default. The patch fixes the problem by moving the log file to a special folder in the LiteSpeed plugin folder (“/wp-content/litespeed/debug/”), randomizing the file names and turning off the option to log cookies in the file.
Users are encouraged to check their installations for “/wp-content/debug.log” and take steps to clean it up if debugging is (or was) enabled.
It is also recommended to set a .htaccess rule to disallow direct access to log files, as attackers can still gain direct access to the new log file if they know the new file name through trial and error.
“This vulnerability highlights the critical importance of securing the execution of the debug log process, what data should not be written, and how the debug log file is managed,” Muhammad said.