September 6, 2024 at 03:27AM
A critical security flaw (CVE-2024-44000) has been found in LiteSpeed Cache plugin for WordPress, affecting versions up to 6.4.1. Unauthenticated users could take control of arbitrary accounts. The vulnerability, resolved in version 6.5.0.1, stems from a publicly exposed debug log file. Users are urged to check for the file and take necessary actions.
From the meeting notes, the key takeaways are as follows:
– Cybersecurity researchers uncovered a critical security flaw in the LiteSpeed Cache plugin for WordPress, affecting versions up to 6.4.1 and with a CVE-2024-44000 (CVSS score: 7.5).
– The vulnerability enables unauthenticated users to potentially take control of arbitrary accounts, including the ability to gain access to an Administrator level role.
– Recommendations for users include checking for the presence of “/wp-content/debug.log” on their installations, purging them if necessary, and setting an .htaccess rule to deny direct access to the log files.
– The patch for the vulnerability involves moving the log file to a dedicated folder, randomizing filenames, and dropping the option to log cookies in the file.
– Users are advised to follow the official patch and security recommendations to safeguard their installations.