September 6, 2024 at 06:30AM
A critical vulnerability, CVE-2024-44000, was discovered in the LiteSpeed Cache plugin for WordPress, allowing attackers to potentially take over websites by retrieving and using stored user cookies. The flaw was identified and reported by Patchstack, who emphasized the importance of securing the debug log process. The issue was resolved with the release of LiteSpeed Cache version 6.5.0.1, but millions of websites may still be affected.
Based on the meeting notes, the key takeaways are:
1. A vulnerability (CVE-2024-44000) in the LiteSpeed Cache plugin for WordPress allows attackers to retrieve user cookies and potentially take over websites.
2. The vulnerability can be exploited if the debug feature is enabled, potentially exposing sensitive information.
3. Patchstack identified and reported the security defect, considering it as critical and impacting any website with the debug feature enabled.
4. LiteSpeed addressed the flaw in version 6.5.0.1 by implementing several changes to the plugin’s functionality, but millions of websites may still be affected.
5. Approximately 4.5 million websites using LiteSpeed Cache may still need to patch against this vulnerability.
Additionally, it’s important to note that LiteSpeed Cache is a widely utilized plugin with millions of installations and a recent high download rate, further highlighting the urgency of addressing this security issue.