CVE-2024-44000 (CVSS 9.8): Litespeed Cache flaw exposes millions of WordPress sites to takeover attacks

CVE-2024-44000

A significant security vulnerability has been uncovered in the popular LiteSpeed Cache plugin for WordPress, which boasts over 5 million active installations. The vulnerability, discovered by Rafie Muhammad, a security researcher at Patchstack, poses a severe threat to WordPress users by allowing unauthenticated visitors to gain access to logged-in accounts, including those with administrator privileges. The vulnerability, identified as CVE-2024-44000, carries a CVSS score of 9.8, marking it as critical.

The LiteSpeed Cache plugin, widely used for its robust caching and site optimization features, suffers from an unauthenticated account takeover flaw. This vulnerability allows attackers to hijack user sessions, potentially escalating their access to an administrator-level role. Once an attacker gains such access, they can upload and install malicious plugins, taking complete control over the compromised site.

The vulnerability stems from an issue within the plugin’s debug log feature, which inadvertently leaks HTTP response headers, including sensitive “Set-Cookie” headers. This occurs when users log in to a WordPress site, and if the debug log feature is enabled or has been previously activated, attackers can exploit this leak to hijack user sessions.

The root of the CVE-2024-44000 vulnerability lies in the ended function of the plugin, which calls the self::debug() function with headers_list() data as its parameter.

/**
* End call of one request process
* @since 4.7
* @access public
*/
public static function ended()
{
self::debug('Response headers', headers_list());

$elapsed_time = number_format((microtime(true) - LSCWP_TS_0) * 1000, 2);
self::debug("End response\n--------------------------------------------------Duration: " . $elapsed_time . " ms------------------------------\n");
}
src/debug2.cls.php, function ended()

This function compiles all HTTP response headers, including the “Set-Cookie” header, and writes them into the debug log file. If the debug log feature has been enabled at any point, the log file may contain sensitive session cookies, exposing them to attackers if the file is not purged.

The exploitability of this vulnerability depends on two key conditions:

  1. The debug log feature must be active or have been activated in the past without the log file being purged.
  2. The attacker must be able to access the /wp-content/debug.log file, which retains the leaked cookies.

In response to this critical vulnerability, the LiteSpeed team released a patch in version 6.5.0.1 of the plugin. While the patch addresses the core issues, additional recommendations were made to enhance the security of affected sites:

  • Implementing proper .htaccess rules to deny direct access to the new log files, as the current rules are insufficient to fully block access.
  • Purging or removing content from the old debug.log file, especially if the debug feature had been enabled in the past, to prevent attackers from accessing previously leaked cookie data.

Related Posts: