Yet, another critical severity vulnerability has been discovered in LiteSpeed Cache, a caching plugin for speeding up user browsing in over 6 million WordPress sites.
The flaw, tracked as CVE-2024-44000 and categorized as an unauthenticated account takeover issue, was discovered by Patchstack’s Rafie Muhammad on August 22, 2024. A fix was made available yesterday with the release of LiteSpeed Cache version 6.5.0.1.
Debug feature writes cookies to file
The vulnerability is tied to the plugin’s debug logging feature, which logs all HTTP response headers into a file, including the “Set-Cookie” header, when enabled.
Those headers contain session cookies used to authenticate users, so if an attacker can steal them, they can impersonate an admin user and take complete control of the site.
To exploit the flaw, an attacker must be able to access the debug log file in ‘/wp-content/debug.log.’ When no file access restrictions (such as .htaccess rules) have been implemented, this is possible by simply entering the correct URL.
Of course, the attacker will only be able to steal the session cookies of users who logged in to the site while the debug feature was active, but this includes even login events from the past if the logs are kept indefinitely and not wiped periodically.
The plugin’s vendor, LiteSpeed Technologies, addressed the problem by moving the debug log to a dedicated folder (‘/wp-content/litespeed/debug/’), randomizing log filenames, removing the option to log cookies, and adding a dummy index file for extra protection.
Users of LiteSpeed Cache are recommended to purge all ‘debug.log’ files from their servers to delete potentially valid session cookies that could be stolen by threat actors.
An .htaccess rule to deny direct access to the log files should also be set, as the randomized names on the new system may still be guessed through multiple attempts/brute-forcing.
WordPress.org reports that just over 375,000 users downloaded LiteSpeed Cache yesterday, the day v6.5.0.1 was released, so the number of sites remaining vulnerable to these attacks may surpass 5.6 million.
LiteSpeed Cache under fire
The particular plugin has remained at the epicenter of security research lately for its massive popularity and because hackers are constantly looking for opportunities to attack websites through it.
In May 2024, it was observed that hackers were targeting an outdated version of the plugin, impacted by an unauthenticated cross-site scripting flaw tracked as CVE-2023-40000, to create administrator users and take control of sites.
More recently, on August 21, 2024, a critical unauthenticated privilege escalation vulnerability tracked as CVE-2024-28000 was discovered, with researchers sounding the alarm about how easy it was to exploit.
It only took threat actors a few hours after the disclosure of the flaw before they started attacking sites en masse, with Wordfence reporting blocking nearly 50,000 attacks.
Today, two weeks have passed since the initial disclosure, and the same portal reports 340,000 attacks in the past 24 hours.