LiteSpeed Cache Plugin Has A Critical Security Vulnerability

Critical security vulnerabilities have been found in the LiteSpeed Cache Plugin for WordPress. These vulnerabilities could affect more than 1.1 million WordPress users.

LiteSpeed, also termed as LSCache is a WordPress website builder. It ensures fast and quick page load time and an overall enhanced user experience. Additionally, this plugin also makes improvements to the positions of Google Search Results. This plugin also supports bbPress, WooCommerce, and Yoast SEO among others. It is an extremely flexible and powerful cache solution benefiting both large and small websites.

Patchstack researchers have stated that LiteSpeedCache publically exposed the debug.log file. The bug carried a 7.5 severity score. Version 6.4.1 and the previous versions have been considered vulnerable to attacks.

LiteSpeed Cache Plugin: Steps to take against this vulnerability

It has been reported that the critical vulnerability comes from a debug log being exposed in public. This file is called /wp-content/debug.log and the public exposure of this file could let unauthenticated attackers access important information within the file.

Steps should be taken to proactively purge the vulnerabilities. Users have been advised to keep their plugins updated to the newest versions to minimize the risks of attacks. Users are asked to update LiteSpeed Cache to the latest Version 6.5.0.1. Cautions have been put out as the vulnerability, CVE-2024-44000 could lead to attackers taking hold of users’ accounts. The updated patch moves the log file to a different folder inside the LSCache folder. Furthermore, it also randomizes the name of the files.

To reduce the threat of attacks, users have also been asked to place a .htaccess rule denying direct access to log files. This method is helpful as the unauthorized actors can still access the log files by simply knowing the file name.

WordPress Tracks Down XSS Vulnerability- Users To Update To 6.5.2.