A vulnerability in the popular LiteSpeed Cache plugin for WordPress could allow attackers to retrieve user cookies and potentially take over websites.
The issue, tracked as CVE-2024-44000, exists because the plugin may include the HTTP response header for set-cookie in the debug log file after a login request.
Because the debug log file is publicly accessible, an unauthenticated attacker could access the information exposed in the file and extract any user cookies stored in it.
This would allow attackers to log in to the affected websites as any user for which the session cookie has been leaked, including as administrators, which could lead to site takeover.
Patchstack, which identified and reported the security defect, considers the flaw ‘critical’ and warns that it impacts any website that had the debug feature enabled at least once, if the debug log file has not been purged.
Additionally, the vulnerability detection and patch management firm points out that the plugin also has a Log Cookies setting that could also leak users’ login cookies if enabled.
The vulnerability is only triggered if the debug feature is enabled. By default, however, debugging is disabled, WordPress security firm Defiant notes.
To address the flaw, the LiteSpeed team moved the debug log file to the plugin’s individual folder, implemented a random string for log filenames, dropped the Log Cookies option, removed the cookies-related info from the response headers, and added a dummy index.php file in the debug directory.
“This vulnerability highlights the critical importance of ensuring the security of performing a debug log process, what data should not be logged, and how the debug log file is managed. In general, we highly do not recommend a plugin or theme to log sensitive data related to authentication into the debug log file,” Patchstack notes.
CVE-2024-44000 was resolved on September 4 with the release of LiteSpeed Cache version 6.5.0.1, but millions of websites might still be affected.
According to WordPress statistics, the plugin has been downloaded roughly 1.5 million times over the past two days. With LiteSpeed Cache having over six million installations, it appears that roughly 4.5 million websites may still have to be patched against this bug.
An all-in-one site acceleration plugin, LiteSpeed Cache provides site administrators with server-level cache and with various optimization features.
Related: Code Execution Vulnerability Found in WPML Plugin Installed on 1M WordPress Sites
Related: Drupal Patches Vulnerabilities Leading to Information Disclosure
Related: Black Hat USA 2024 – Summary of Vendor Announcements
Related: WordPress Sites Targeted via Vulnerabilities in WooCommerce Discounts Plugin