Patchstack has reported an unauthenticated account takeover vulnerability in the popular LiteSpeed Cache plugin. This report comes just weeks after John Blackbourn reported a critical unauthenticated privilege escalation vulnerability. It earned him the highest bounty in the history of WordPress bug bounty – $14,400.
More About the Vulnerability
The new vulnerability stems from further technical analysis of Blackbourn’s initial findings. Rafie Mohammed from Patchstack explained, “In the previous report, we noticed that the hash could also be leaked from a debug log file and we decided to check other possible information leaks on the debug log file.”
The unauthenticated account takeover vulnerability (CVE-2024-44000) in the plugin with over 5 Million active installs allows any unauthenticated visitor to gain authentication access to logged-in users or assume an Administrator role.
Recommended Course of Action
Users are strongly advised to update to version 6.5.0.1 immediately. After updating, it’s crucial to manually purge the debug logs, especially if the plugin’s debug feature has been enabled. More details on the patch can be found in the changeset.
Rafie Mohammed emphasized the importance of securing the debug log process, stating, “This vulnerability highlights the critical importance of ensuring the security of performing a debug log process, what data should not be logged, and how the debug log file is managed. In general, we highly do not recommend a plugin or theme to log sensitive data related to authentication into the debug log file.”
Plugin and theme authors should always store debug log data securely, using random filenames and adding an .htaccess rule to prevent unauthorized access.