Sat Sep 07 11:13:28 UTC 2024: ## WordPress LiteSpeed Cache Plugin Flaw Allows Account Takeover, Experts Warn
A critical vulnerability has been discovered in the popular WordPress LiteSpeed Cache plugin, allowing unauthenticated attackers to gain access to user accounts and potentially escalate privileges to the administrator level.
The flaw, tracked as CVE-2024-44000, stems from a leak in the plugin’s debug log file. This leak exposes sensitive information, including user cookie data, which can be exploited by attackers to log in using valid sessions. The vulnerability is only exploitable if the WordPress site’s debug feature is enabled, which is disabled by default.
Researchers from Patchstack, who discovered the vulnerability, recommend users update to version 6.5.0.1 of the LiteSpeed Cache plugin to mitigate the risk. They also advise disabling the debug feature and regularly purging or removing content from the debug log file to prevent unauthorized access to leaked cookie data.
The vulnerability underscores the importance of secure debugging practices and the need to carefully manage log files containing sensitive information. Plugin developers are encouraged to implement robust security measures to prevent such leaks and ensure the safe storage of debug log data.
First Piper 