Analysis Summary

Researchers have uncovered yet another serious vulnerability in the WordPress plugin LiteSpeed Cache that might let unauthorized users take over any account. The issue affects versions before and including 6.4.1 and is listed as CVE-2024-44000 (CVSS score: 7.5). Version 6.5.0.1 has been updated to resolve this.

Because of the plugin's unauthenticated account takeover vulnerability, unauthorized visitors can log in as any logged-in user and, in the worst-case scenario, even acquire an Administrator-level role, from which malicious plugins might be downloaded and installed. This finding comes after a thorough security investigation of the plugin that earlier revealed a serious vulnerability allowing for the escalation of privileges (CVE-2024-28000, CVSS score: 9.8). As a popular caching plugin for the WordPress environment, LiteSpeed Cache has more than 5 million active installations.

A publicly accessible debug log file called "/wp-content/debug.log" is the source of the new vulnerability. This allows unauthenticated attackers to examine potentially sensitive data stored in the file. This might also include user cookie data that is contained in HTTP response headers, which would essentially enable users to access a vulnerable website using any active session. The requirement that the debug feature be enabled on a WordPress site for it to function properly accounts for the reduced severity of the problem. As an alternative, it might also impact websites that have previously enabled the debug log option but neglected to delete the debug file.

It is noteworthy that this option is by default turned off. To fix the issue, the log file is moved to a special folder ("/wp-content/litespeed/debug/") inside the LiteSpeed plugin folder, filenames are randomly generated, and the option to log cookies in the file is removed. It is recommended that users look for the "/wp-content/debug.log" file in their installations and remove it if the debugging feature is (or was) active.

Setting a .htaccess rule to prevent direct access to the log files is also advised, as threat actors can still use a trial-and-error technique to access the new log file directly if they know the new filename. This issue makes clear how crucial it is to guarantee the security of running a debug log process, what information shouldn't be written, and how to handle the debug log file.

Impact

• Unauthorized Access
• Privilege Escalation
• Information Disclosure

Indicators of Compromise

CVE

• CVE-2024-44000

Affected Vendors

Remediation

• Upgrade to the latest version of LiteSpeed Cache Plugin for WordPress, available from the LiteSpeed Technologies Website.
• Enhance the security of your WordPress site by implementing two-factor authentication.
• Keep your WordPress core and all installed plugins up to date.
• Conduct regular security audits of your WordPress site.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets
• Maintain daily backups of all computer networks and servers.
• Keep all software, operating systems, and applications updated with the latest security patches.
• Continuously monitor network and system logs for unusual or suspicious activities.
• Review and secure website code to prevent open redirect vulnerabilities.
• Educate all site administrators about security best practices and the potential risks associated with phishing emails, fake security advisories, and malicious plugins.