But, one other essential severity vulnerability has been found in LiteSpeed Cache, a caching plugin for dashing up consumer searching in over 6 million WordPress websites.
The flaw, tracked as CVE-2024-44000 and categorized as an unauthenticated account takeover concern, was found by Patchstack’s Rafie Muhammad on August 22, 2024. A repair was made out there yesterday with the discharge of LiteSpeed Cache model 6.5.0.1.
Debug function writes cookies to file
The vulnerability is tied to the plugin’s debug logging function, which logs all HTTP response headers right into a file, together with the “Set-Cookie” header, when enabled.
These headers comprise session cookies used to authenticate customers, so if an attacker can steal them, they’ll impersonate an admin consumer and take full management of the positioning.
To use the flaw, an attacker should be capable of entry the debug log file in ‘/wp-content/debug.log.’ When no file entry restrictions (akin to .htaccess guidelines) have been carried out, that is attainable by merely coming into the right URL.
In fact, the attacker will solely be capable of steal the session cookies of customers who logged in to the positioning whereas the debug function was lively, however this contains even login occasions from the previous if the logs are saved indefinitely and never wiped periodically.
The plugin’s vendor, LiteSpeed Applied sciences, addressed the issue by transferring the debug log to a devoted folder (‘/wp-content/litespeed/debug/’), randomizing log filenames, eradicating the choice to log cookies, and including a dummy index file for further safety.
Customers of LiteSpeed Cache are advisable to purge all ‘debug.log’ recordsdata from their servers to delete probably legitimate session cookies that could possibly be stolen by menace actors.
An .htaccess rule to disclaim direct entry to the log recordsdata also needs to be set, because the randomized names on the brand new system should be guessed by way of a number of makes an attempt/brute-forcing.
WordPress.org experiences that simply over 375,000 customers downloaded LiteSpeed Cache yesterday, the day v6.5.0.1 was launched, so the variety of websites remaining susceptible to those assaults might surpass 5.6 million.
LiteSpeed Cache underneath fireplace
The actual plugin has remained on the epicenter of safety analysis currently for its huge reputation and since hackers are consistently searching for alternatives to assault web sites by way of it.
In Might 2024, it was noticed that hackers had been concentrating on an outdated model of the plugin, impacted by an unauthenticated cross-site scripting flaw tracked as CVE-2023-40000, to create administrator customers and take management of web sites.
Extra not too long ago, on August 21, 2024, a essential unauthenticated privilege escalation vulnerability tracked as CVE-2024-28000 was found, with researchers sounding the alarm about how simple it was to take advantage of.
It solely took menace actors a number of hours after the disclosure of the flaw earlier than they began attacking websites en masse, with Wordfence reporting blocking practically 50,000 assaults.
Immediately, two weeks have handed because the preliminary disclosure, and the identical portal experiences 340,000 assaults previously 24 hours.
