LiteSpeed Cache plugin for WordPress has a critical security vulnerability

News
By published

A new flaw was found, granting threat actors full access to vulnerable websites.

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
(Image credit: Shutterstock/monticello)

Security researchers have found yet another critical vulnerability in the LiteSpeed Cache plugin for WordPress that allows threat actors to take over websites.

Four months after patching an unauthenticated cross-site scripting flaw, the popular optimization plugin was found vulnerable to a bug described as an “unauthenticated account takeover vulnerability”. In other words, an unauthenticated malicious visitor could abuse the hole to gain access to any logged-in user, including admin accounts. That, as you may presume, grants the attacker full access to the website to do with it as they please.

The bug is tracked as CVE-2024-44000, and carries a severity score of 7.5. Version 6.4.1, and all versions before, were said to be vulnerable. A patch has been deployed which brings LiteSpeed Cache to version 6.5.0.1, and users are advised to install it as soon as possible.

Low severity score

Describing how the flaw works, researchers from Patchstack said that LiteSpeed Cache has kept the debug.log file publicly exposed, allowing unauthenticated individuals to view sensitive information found inside. Besides login credentials, the file includes cookie information from HTTP response headers, and more.

The flaw was given a relatively low severity score since the debug feature must be enabled on WordPress, for the flaw to be abusable. It is disabled by default.

"This vulnerability highlights the critical importance of ensuring the security of performing a debug log process, what data should not be logged, and how the debug log file is managed," Patchstack explained.

LiteSpeed Cache is a plugin for the website builder WordPress promising faster page load times, better user experience, and improved Google Search Results Page positions. It is designed to improve website performance by reducing page load times, which it achieves by storing static versions of dynamic content. When a user requests a page, LSCache serves the cached version, minimizing the need for the server to regenerate the page repeatedly. This results in faster response times and reduced server load.

Via The Hacker News

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over a million WordPress sites exposed to attack from W3 Total Cache plugin flaw
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Top WordPress plugins found to have some serious security flaws, so make sure you're protected
WordPress
Another top WordPress plugin found carrying critical security flaws
WordPress
WordPress users beware - these popular theme plugins have some major security issues
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
More about security
Money

Financial leaders still rely on regular tools like Excel for automation tasks over AI
Half man, half AI.

Generative AI has a long way to go as siloed data and abuse of its capacity remain a downside – but it does change the game for security teams
TV deals

Amazon has a ton of cheap TVs on sale for March Madness – deals starting at $79.99
See more latest
Most Popular
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
Oracle
Bluehost owner is moving to Oracle Cloud, so could thousands of websites be about to migrate?
Money
Financial leaders still rely on regular tools like Excel for automation tasks over AI
Two examples of the Asus Fragrance Mouse MD101 sitting on a table
Your next computer mouse could have a fragrance compartment for aromatherapy oils – and this Asus idea is nothing to sniff at
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models
Eizo FlexScan FLT
Behold the world's most power-efficient monitor — the EIZO FlexScan FLT
A close up of a xenomorph with Earth reflected on its head in the Alien: Earth TV show teaser
Alien: Earth: everything we know so far about FX's upcoming Alien TV show coming to Hulu and Disney+