But, one other vital severity vulnerability has been found in LiteSpeed Cache, a caching plugin for rushing up consumer searching in over 6 million WordPress websites.
The flaw, tracked as CVE-2024-44000 and categorized as an unauthenticated account takeover situation, was found by Patchstack’s Rafie Muhammad on August 22, 2024. A repair was made obtainable yesterday with the discharge of LiteSpeed Cache model 6.5.0.1.
Debug characteristic writes cookies to file
The vulnerability is tied to the plugin’s debug logging characteristic, which logs all HTTP response headers right into a file, together with the “Set-Cookie” header, when enabled.
These headers comprise session cookies used to authenticate customers, so if an attacker can steal them, they’ll impersonate an admin consumer and take full management of the positioning.
To use the flaw, an attacker should be capable of entry the debug log file in ‘/wp-content/debug.log.’ When no file entry restrictions (reminiscent of .htaccess guidelines) have been applied, that is doable by merely coming into the right URL.
After all, the attacker will solely be capable of steal the session cookies of customers who logged in to the positioning whereas the debug characteristic was lively, however this contains even login occasions from the previous if the logs are saved indefinitely and never wiped periodically.
The plugin’s vendor, LiteSpeed Applied sciences, addressed the issue by transferring the debug log to a devoted folder (‘/wp-content/litespeed/debug/’), randomizing log filenames, eradicating the choice to log cookies, and including a dummy index file for further safety.
Customers of LiteSpeed Cache are beneficial to purge all ‘debug.log’ recordsdata from their servers to delete doubtlessly legitimate session cookies that might be stolen by menace actors.
An .htaccess rule to disclaim direct entry to the log recordsdata also needs to be set, because the randomized names on the brand new system should be guessed by means of a number of makes an attempt/brute-forcing.
WordPress.org stories that simply over 375,000 customers downloaded LiteSpeed Cache yesterday, the day v6.5.0.1 was launched, so the variety of websites remaining susceptible to those assaults might surpass 5.6 million.
LiteSpeed Cache beneath hearth
The actual plugin has remained on the epicenter of security analysis these days for its huge recognition and since hackers are consistently searching for alternatives to assault web sites by means of it.
In Might 2024, it was noticed that hackers have been focusing on an outdated model of the plugin, impacted by an unauthenticated cross-site scripting flaw tracked as CVE-2023-40000, to create administrator customers and take management of websites.
Extra lately, on August 21, 2024, a vital unauthenticated privilege escalation vulnerability tracked as CVE-2024-28000 was found, with researchers sounding the alarm about how simple it was to take advantage of.
It solely took menace actors a couple of hours after the disclosure of the flaw earlier than they began attacking websites en masse, with Wordfence reporting blocking practically 50,000 assaults.
Right this moment, two weeks have handed because the preliminary disclosure, and the identical portal stories 340,000 assaults previously 24 hours.