ClickCease LiteSpeed Vulnerability: Plugin Flaw Puts Websites At Risk- TuxCare

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

LiteSpeed Vulnerability: Plugin Flaw Puts Websites At Risk

Wajahat Raja

September 16, 2024 - TuxCare expert team

As per recent reports, a LiteSpeed vulnerability that can lead to unauthorized control of arbitrary accounts has been discovered. Details pertaining to the WordPress security flaw have been made public due to the efforts of Patchstack researcher Rafie Muhammad. In this article, we’ll dive into these details and uncover how threat actors can exploit the LiteSpeed vulnerability. Let’s begin! 

Initial Discovery Of The LiteSpeed Vulnerability 

The discovery of this vulnerability came as a result of an extensive security analysis of the plugin. Before we go into the details, it’s worth mentioning that this analysis also led to the discovery of a separate vulnerability earlier this year. The previous vulnerability was tracked as CVE-2024-28000. 

It had a critical vulnerability severity score (CVSS) of 9.8 and could be exploited by threat actors for privilege escalation. The recently identified vulnerability is being tracked  as CVE-2024-44000 and has a CVSS of 7.5. While this flaw is less severe than its predecessor, it can, if exploited, still do harm to the compromised users. 

The LiteSpeed cache unauthenticated flaw affects versions that came before 6.4.1. and versions 6.4.1. itself. Providing insights pertaining to this LiteSpeed vulnerability, researcher Rafie Muhammad has stated that:

“The plugin suffers from an unauthenticated account takeover vulnerability which allows any unauthenticated visitor to gain authentication access to any logged-in users and at worst can gain access to an Administrator level role after which malicious plugins could be uploaded and installed.”

CVE-2024-44000 And Protection Measures 

The new LiteSpeed vulnerability prevails due to a log file named “/wp-content/debug.log.” This file is publicly exposed, giving hackers the possibility of gaining unauthenticated access. The acquired access can be used to view sensitive information contained with the file. In addition, they may also see cookie information evident within HTTP response headers. 

Having access to such information is what allows threat actors to launch an attack based on the new vulnerability. By exploiting this flaw, a threat actor can log in to a vulnerable site using any session that’s active and valid. Its low severity score is associated with the fact that a prerequisite must be fulfilled for it to be considered worthy of exploitation.

To use the vulnerability for malicious purposes, the debug feature on WordPress must be enabled. The vulnerability, if exploited, could also affect users who turned the feature on at some point but didn’t remove the debug file. It’s worth mentioning here that this feature is disabled by default. 

As far as protection measures for this vulnerability are considered, it has been addressed in version 6.5.0.1. To ensure protection, the patch moves the log file to a dedicated folder named “/wp-content/litespeed/debug/.” Apart from this, it also randomizes file names and drops the options log cookies in the file. 

Conclusion 

The LiteSpeed vulnerability highlights the importance of securing WordPress installations, particularly when debugging features are enabled. Website owners should promptly update to the latest plugin version and implement recommended security measures to mitigate risks, ensuring their sites remain protected from unauthorized access and potential malicious exploitation.

The sources for this piece include articles in The Hacker News and TechRadar.

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started

Mail

Join

4,500

Linux & Open Source
Professionals!

Subscribe to
our newsletter