But, one other essential severity vulnerability has been found in LiteSpeed Cache, a caching plugin for dashing up person looking in over 6 million WordPress websites.
The flaw, tracked as CVE-2024-44000 and categorized as an unauthenticated account takeover problem, was found by Patchstack’s Rafie Muhammad on August 22, 2024. A repair was made accessible yesterday with the discharge of LiteSpeed Cache model 6.5.0.1.
Debug characteristic writes cookies to file
The vulnerability is tied to the plugin’s debug logging characteristic, which logs all HTTP response headers right into a file, together with the “Set-Cookie” header, when enabled.
These headers include session cookies used to authenticate customers, so if an attacker can steal them, they’ll impersonate an admin person and take full management of the positioning.
To take advantage of the flaw, an attacker should be capable of entry the debug log file in ‘/wp-content/debug.log.’ When no file entry restrictions (equivalent to .htaccess guidelines) have been carried out, that is doable by merely coming into the right URL.
In fact, the attacker will solely be capable of steal the session cookies of customers who logged in to the positioning whereas the debug characteristic was energetic, however this consists of even login occasions from the previous if the logs are saved indefinitely and never wiped periodically.
The plugin’s vendor, LiteSpeed Applied sciences, addressed the issue by transferring the debug log to a devoted folder (‘/wp-content/litespeed/debug/’), randomizing log filenames, eradicating the choice to log cookies, and including a dummy index file for additional safety.
Customers of LiteSpeed Cache are beneficial to purge all ‘debug.log’ recordsdata from their servers to delete probably legitimate session cookies that may very well be stolen by risk actors.
An .htaccess rule to disclaim direct entry to the log recordsdata must also be set, because the randomized names on the brand new system should still be guessed by a number of makes an attempt/brute-forcing.
WordPress.org experiences that simply over 375,000 customers downloaded LiteSpeed Cache yesterday, the day v6.5.0.1 was launched, so the variety of websites remaining weak to those assaults might surpass 5.6 million.
LiteSpeed Cache underneath fireplace
The actual plugin has remained on the epicenter of safety analysis recently for its large reputation and since hackers are always in search of alternatives to assault web sites by it.
In Could 2024, it was noticed that hackers have been concentrating on an outdated model of the plugin, impacted by an unauthenticated cross-site scripting flaw tracked as CVE-2023-40000, to create administrator customers and take management of web sites.
Extra not too long ago, on August 21, 2024, a essential unauthenticated privilege escalation vulnerability tracked as CVE-2024-28000 was found, with researchers sounding the alarm about how simple it was to take advantage of.
It solely took risk actors a number of hours after the disclosure of the flaw earlier than they began attacking websites en masse, with Wordfence reporting blocking almost 50,000 assaults.
At this time, two weeks have handed because the preliminary disclosure, and the identical portal experiences 340,000 assaults previously 24 hours.