A flaw in WordPress LiteSpeed Cache Plugin allows account takeover - #CVE-2024-44000
A critical security vulnerability, designated as CVE-2024-44000 with varying CVSS scores, has been identified in the LiteSpeed Cache plugin for WordPress, affecting over 5 million sites. The vulnerability exploits the plugin's debug log feature, leaking sensitive HTTP response headers and user session cookies, which can be used by unauthenticated attackers to gain administrative access and take over websites. The flaw arises when the debug log file becomes publicly accessible, allowing attackers to extract and misuse session cookies. LiteSpeed has released a patch in version 6.5.0.1 to secure the debug log file by relocating it, using random filenames, and removing sensitive data. Users are strongly advised to update the plugin, delete old debug log files, and implement .htaccess rules to prevent direct access to log files. Despite the patch, many sites remain at risk, emphasizing the importance of proactive security measures to protect user data and website integrity.