CVE-2024-44000: 
WordPress vulnerability analysis and mitigation

CVE-2024-44000 is an Insufficiently Protected Credentials vulnerability affecting LiteSpeed Technologies' LiteSpeed Cache WordPress plugin versions before 6.5.0.1. The vulnerability was discovered in August 2024 and publicly disclosed on September 5, 2024. This plugin, with over 5 million active installations, is one of the most popular caching plugins in the WordPress ecosystem (Patchstack Article).

The vulnerability exists in the debug logging functionality of the LiteSpeed Cache plugin. When debug logging is enabled, the plugin logs HTTP response headers including sensitive 'Set-Cookie' headers that contain authentication tokens. The vulnerability stems from the 'ended()' function which calls headers_list() and logs all response headers to a debug file located at /wp-content/debug.log. Additionally, if the 'Log Cookies' feature is enabled, the plugin also logs request cookies. The vulnerability has received a CVSS v3.1 base score of 9.8 CRITICAL (NVD, Patchstack Article).

This vulnerability allows unauthenticated attackers to gain authentication access to any logged-in users, potentially including administrator accounts. Once administrative access is obtained, attackers can upload and install malicious plugins, leading to complete site compromise. The vulnerability is particularly severe given the plugin's large user base of over 5 million active installations (Patchstack Article).

The vulnerability was patched in version 6.5.0.1 released on September 4, 2024. The patch includes several security improvements: moving the debug log file to a dedicated folder at /wp-content/litespeed/debug/, implementing random string filenames using MD5 hash values, removing the Log Cookies option, eliminating cookies-related information from response headers, and adding a dummy index.php file in the debug directory. Users are strongly advised to update to version 6.5.0.1 or later, and to purge any existing debug.log files (Patchstack Article).