A major security vulnerability has been uncovered in the LiteSpeed Cache plugin, used on over 5 million WordPress websites worldwide. The flaw, identified as CVE-2024-44000, was discovered by Rafie Muhammad, a security researcher at Patchstack. Rated with a CVSS score of 9.8, the vulnerability poses a severe threat to WordPress users by allowing unauthorized individuals to take control of logged-in accounts, including those with administrative access.
LiteSpeed Cache is primarily known for its role in improving website performance by caching and optimizing site content. However, this recent flaw creates an alarming situation where attackers can hijack user sessions and potentially gain full control over a website, including administrative privileges. Once attackers obtain admin-level access, they can upload malicious plugins, alter site functionality, or even take down the website entirely, causing long-term damage.
The vulnerability is linked to the plugin’s debug log feature, which inadvertently leaks sensitive HTTP response headers, including "Set-Cookie" headers. If this feature is enabled or was previously active, attackers can exploit the flaw by accessing the /wp-content/debug.log file, hijacking user sessions.
The issue arises when HTTP response headers, including session cookies, are written into the debug log file. If this file is not deleted after the debug feature is disabled, it remains vulnerable to exploitation. Attackers can access the file and use the data to gain control of user sessions.
For the exploit to succeed, two conditions must be met: the debug log feature must be active or previously enabled, and attackers must be able to access the debug log file.
In response, LiteSpeed has issued a patch in version 6.5.0.1. They also recommend users implement stricter .htaccess rules to block access to log files and delete any old debug logs that could contain sensitive information.