LiteSpeed Cache plugin for WordPress has a critical security vulnerability

The bug is tracked as CVE-2024-44000, and carries a severity score of 7.5. Version 6.4.1, and all versions before, were said to be vulnerable. A patch has been deployed which brings LiteSpeed Cache to version 6.5.0.1, and users are advised to install it as soon as possible.

Low severity score

Describing how the flaw works, researchers from Patchstack said that LiteSpeed Cache has kept the debug.log file publicly exposed, allowing unauthenticated individuals to view sensitive information found inside. Besides login credentials, the file includes cookie information from HTTP response headers, and more.

The flaw was given a relatively low severity score since the debug feature must be enabled on WordPress, for the flaw to be abusable. It is disabled by default.

"This vulnerability highlights the critical importance of ensuring the security of performing a debug log process, what data should not be logged, and how the debug log file is managed," Patchstack explained.

LiteSpeed Cache is a plugin for the website builder WordPress promising faster page load times, better user experience, and improved Google Search Results Page positions. It is designed to improve website performance by reducing page load times, which it achieves by storing static versions of dynamic content. When a user requests a page, LSCache serves the cached version, minimizing the need for the server to regenerate the page repeatedly. This results in faster response times and reduced server load.

Via The Hacker News

More from TechRadar Pro

• Watch out — hackers can exploit this plugin to gain full control of your WordPress site
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now