Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
How can just one wrong tweak put your website at risk?
A serious vulnerability has been discovered in the popular LiteSpeed Cache plugin for WordPress that could allow attackers to take over user accounts. The vulnerability, designated CVE-2024-44000 with a CVSS score of 7.5, affects versions up to and including 6.4.1.
Patchstack researcher Rafi Muhammad noted in his report that the vulnerability could allow any unauthorized user to access the account of any authorized user, including the administrator. This can lead to the installation of malicious plugins on the site and other compromises.
The cause of the vulnerability was the open access to the debug log file "/wp-content/debug.log", which contains sensitive data such as cookie information and active user sessions. This allows attackers to gain access to the account without authorization.
The vulnerability is not a widespread threat, as its exploitation requires the debugging function to be activated on the site, which is disabled by default. However, sites where this feature was enabled earlier and the log file was not deleted are at risk.
The LiteSpeed Cache 6.5.0.1 plugin update moves the log file to a new folder, randomly generates a file name, and excludes the cookie data from being recorded. Users are advised to check for the presence of the "/wp-content/debug.log" file and delete it if debugging has ever been activated.
Experts also advise adding a rule to the ".htaccess" that will restrict access to log files. This will reduce the risk if attackers try to guess the new file name by brute force. The discovery of the CVE-2024-44000 vulnerability highlights the importance of properly configuring debugging and log management to minimize the risk of data leakage.
Notably, this is not the first vulnerability identified in the LiteSpeed Cache plugin over the past month. For example, we previously reported on the CVE-2024-28000 vulnerability, which allows an unauthorized attacker to gain administrator-level access, potentially affecting 5 million websites.
Source
A serious vulnerability has been discovered in the popular LiteSpeed Cache plugin for WordPress that could allow attackers to take over user accounts. The vulnerability, designated CVE-2024-44000 with a CVSS score of 7.5, affects versions up to and including 6.4.1.
Patchstack researcher Rafi Muhammad noted in his report that the vulnerability could allow any unauthorized user to access the account of any authorized user, including the administrator. This can lead to the installation of malicious plugins on the site and other compromises.
The cause of the vulnerability was the open access to the debug log file "/wp-content/debug.log", which contains sensitive data such as cookie information and active user sessions. This allows attackers to gain access to the account without authorization.
The vulnerability is not a widespread threat, as its exploitation requires the debugging function to be activated on the site, which is disabled by default. However, sites where this feature was enabled earlier and the log file was not deleted are at risk.
The LiteSpeed Cache 6.5.0.1 plugin update moves the log file to a new folder, randomly generates a file name, and excludes the cookie data from being recorded. Users are advised to check for the presence of the "/wp-content/debug.log" file and delete it if debugging has ever been activated.
Experts also advise adding a rule to the ".htaccess" that will restrict access to log files. This will reduce the risk if attackers try to guess the new file name by brute force. The discovery of the CVE-2024-44000 vulnerability highlights the importance of properly configuring debugging and log management to minimize the risk of data leakage.
Notably, this is not the first vulnerability identified in the LiteSpeed Cache plugin over the past month. For example, we previously reported on the CVE-2024-28000 vulnerability, which allows an unauthorized attacker to gain administrator-level access, potentially affecting 5 million websites.
Source
