CVE-2024-44000 (CVSS 9.8): Litespeed Cache flaw exposes millions of WordPress sites to takeover attacks

Summary: A critical security vulnerability (CVE-2024-44000) has been discovered in the LiteSpeed Cache plugin for WordPress, allowing unauthenticated users to hijack logged-in accounts, including those with administrator privileges. The flaw, which affects over 5 million installations, stems from a debug log feature that inadvertently exposes sensitive session cookies.

Threat Actor: Unknown | unknown
Victim: WordPress Users | WordPress Users

Key Point :

  • The vulnerability allows attackers to hijack user sessions and potentially gain administrator access.
  • It is critical for users to update to version 6.5.0.1 of the plugin and implement additional security measures.
  • Attackers can exploit this vulnerability if the debug log feature is enabled and if they can access the debug log file containing leaked cookies.

A significant security vulnerability has been uncovered in the popular LiteSpeed Cache plugin for WordPress, which boasts over 5 million active installations. The vulnerability, discovered by Rafie Muhammad, a security researcher at Patchstack, poses a severe threat to WordPress users by allowing unauthenticated visitors to gain access to logged-in accounts, including those with administrator privileges. The vulnerability, identified as CVE-2024-44000, carries a CVSS score of 9.8, marking it as critical.

The LiteSpeed Cache plugin, widely used for its robust caching and site optimization features, suffers from an unauthenticated account takeover flaw. This vulnerability allows attackers to hijack user sessions, potentially escalating their access to an administrator-level role. Once an attacker gains such access, they can upload and install malicious plugins, taking complete control over the compromised site.

The vulnerability stems from an issue within the plugin’s debug log feature, which inadvertently leaks HTTP response headers, including sensitive “Set-Cookie” headers. This occurs when users log in to a WordPress site, and if the debug log feature is enabled or has been previously activated, attackers can exploit this leak to hijack user sessions.

The root of the CVE-2024-44000 vulnerability lies in the ended function of the plugin, which calls the self::debug() function with headers_list() data as its parameter.

/**
* End call of one request process
* @since 4.7
* @access public
*/
public static function ended()
{
self::debug('Response headers', headers_list());

$elapsed_time = number_format((microtime(true) - LSCWP_TS_0) * 1000, 2);
self::debug("End responsen--------------------------------------------------Duration: " . $elapsed_time . " ms------------------------------n");
}

src/debug2.cls.php, function ended()

This function compiles all HTTP response headers, including the “Set-Cookie” header, and writes them into the debug log file. If the debug log feature has been enabled at any point, the log file may contain sensitive session cookies, exposing them to attackers if the file is not purged.

The exploitability of this vulnerability depends on two key conditions:

  1. The debug log feature must be active or have been activated in the past without the log file being purged.
  2. The attacker must be able to access the /wp-content/debug.log file, which retains the leaked cookies.

In response to this critical vulnerability, the LiteSpeed team released a patch in version 6.5.0.1 of the plugin. While the patch addresses the core issues, additional recommendations were made to enhance the security of affected sites:

  • Implementing proper .htaccess rules to deny direct access to the new log files, as the current rules are insufficient to fully block access.
  • Purging or removing content from the old debug.log file, especially if the debug feature had been enabled in the past, to prevent attackers from accessing previously leaked cookie data.

Related Posts:

Source: https://securityonline.info/cve-2024-44000-cvss-9-8-litespeed-cache-flaw-exposes-millions-of-wordpress-sites-to-takeover-attacks