Cybersecurity researchers have came upon but some other essential safety flaw within the LiteSpeed Cache plugin for WordPress that might permit unauthenticated customers to take keep an eye on of arbitrary accounts.
The vulnerability, tracked as CVE-2024-44000 (CVSS rating: 7.5), affects variations sooner than and together with 6.4.1. It’s been addressed in model 6.5.0.1.
“The plugin suffers from an unauthenticated account takeover vulnerability which permits any unauthenticated customer to achieve authentication get admission to to any logged-in customers and at worst can achieve get admission to to an Administrator degree position and then malicious plugins might be uploaded and put in,” Patchstack researcher Rafie Muhammad stated.
The invention follows an in depth safety research of the plugin, which prior to now ended in the id of a essential privilege escalation flaw (CVE-2024-28000, CVSS rating: 9.8). LiteSpeed Cache is a well-liked caching plugin for the WordPress ecosystem with over 5 million energetic installations.
The brand new vulnerability stems from the truth that a debug log report named “/wp-content/debug.log” is publicly uncovered, which makes it conceivable for unauthenticated attackers to view probably delicate knowledge contained within the report.
This would additionally come with consumer cookie knowledge provide inside of HTTP reaction headers, successfully permitting customers to log in to a inclined website online with any consultation this is actively legitimate.
The decrease severity of the flaw is owing to the prerequisite that the debug function will have to be enabled on a WordPress website online for it to achieve success. On the other hand, it might additionally have an effect on websites that had activated the debug log function sooner or later up to now, however have failed to take away the debug report.
You must observe that this selection is disabled via default. The patch addresses the issue via transferring the log report to a devoted folder throughout the LiteSpeed plugin folder (“/wp-content/litespeed/debug/”), randomizing filenames, and losing the approach to log cookies within the report.
Customers are urged to test their installations for the presence of the “/wp-content/debug.log” and take steps to purge them if the debugging function has (or had) been enabled.
Additionally it is really helpful to set an .htaccess rule to disclaim direct get admission to to the log recordsdata as malicious actors can nonetheless immediately get admission to the brand new log report in the event that they know the brand new filename by way of a trial-and-error way.
“This vulnerability highlights the essential significance of making sure the safety of acting a debug log procedure, what information must no longer be logged, and the way the debug log report is controlled,” Muhammad stated.