A major security vulnerability has been uncovered in the LiteSpeed Cache plugin, used on over 5 million WordPress websites worldwide. The flaw, identified as CVE-2024-44000, was discovered by Rafie Muhammad, a security researcher at Patchstack. Rated with a CVSS score of 9.8, the vulnerability poses a severe threat to WordPress users by allowing unauthorized individuals to take control of logged-in accounts, including those with administrative access.
LiteSpeed Cache is primarily known for its role in improving website performance by caching and optimizing site content. However, this recent flaw creates an alarming situation where attackers can hijack user sessions and potentially gain full control over a website, including administrative privileges. Once attackers obtain admin-level access, they can upload malicious plugins, alter site functionality, or even take down the website entirely, causing long-term damage.
The vulnerability is linked to the plugin’s debug log feature, which inadvertently leaks sensitive HTTP response headers, including “Set-Cookie” headers. If this feature is enabled or was previously active, attackers can exploit the flaw by accessing the /wp-content/debug.log file, hijacking user sessions.
The issue arises when HTTP response headers, including session cookies, are written into the debug log file. If this file is not deleted after the debug feature is disabled, it remain
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: