Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

LiteSpeed Cache Plugin Vulnerability Exposes Millions of WordPress Sites to Attacks

A vulnerability in the LiteSpeed Cache WordPress plugin leads to the exposure of sensitive information, including user cookies.

WordPress hack

A vulnerability in the popular LiteSpeed Cache plugin for WordPress could allow attackers to retrieve user cookies and potentially take over websites.

The issue, tracked as CVE-2024-44000, exists because the plugin may include the HTTP response header for set-cookie in the debug log file after a login request.

Because the debug log file is publicly accessible, an unauthenticated attacker could access the information exposed in the file and extract any user cookies stored in it.

This would allow attackers to log in to the affected websites as any user for which the session cookie has been leaked, including as administrators, which could lead to site takeover.

Patchstack, which identified and reported the security defect, considers the flaw ‘critical’ and warns that it impacts any website that had the debug feature enabled at least once, if the debug log file has not been purged.

Additionally, the vulnerability detection and patch management firm points out that the plugin also has a Log Cookies setting that could also leak users’ login cookies if enabled.

The vulnerability is only triggered if the debug feature is enabled. By default, however, debugging is disabled, WordPress security firm Defiant notes.

To address the flaw, the LiteSpeed team moved the debug log file to the plugin’s individual folder, implemented a random string for log filenames, dropped the Log Cookies option, removed the cookies-related info from the response headers, and added a dummy index.php file in the debug directory.

Advertisement. Scroll to continue reading.

“This vulnerability highlights the critical importance of ensuring the security of performing a debug log process, what data should not be logged, and how the debug log file is managed. In general, we highly do not recommend a plugin or theme to log sensitive data related to authentication into the debug log file,” Patchstack notes.

CVE-2024-44000 was resolved on September 4 with the release of LiteSpeed Cache version 6.5.0.1, but millions of websites might still be affected.

According to WordPress statistics, the plugin has been downloaded roughly 1.5 million times over the past two days. With LiteSpeed Cache having over six million installations, it appears that roughly 4.5 million websites may still have to be patched against this bug.

An all-in-one site acceleration plugin, LiteSpeed Cache provides site administrators with server-level cache and with various optimization features.

Related: Code Execution Vulnerability Found in WPML Plugin Installed on 1M WordPress Sites

Related: Drupal Patches Vulnerabilities Leading to Information Disclosure

Related: Black Hat USA 2024 – Summary of Vendor Announcements

Related: WordPress Sites Targeted via Vulnerabilities in WooCommerce Discounts Plugin

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.