More than six million WordPress sites could be hijacked in attacks exploiting the recently patched critical unauthenticated account takeover vulnerability in the LiteSpeed Cache plugin, tracked as CVE-2024-44000, BleepingComputer reports.
Exploitation of the flaw, which stems from LiteSpeed Cache's debug logging functionality, could be conducted by attackers with '/wp-content/debug.log' file access to exfiltrate users' session cookies, spoof admin users, and takeover websites.
Aside from removing all 'debug.log' files that contain at-risk session cookies, admins of WordPress sites using the plugin have been urged to establish an '.htaccess' rule to prevent direct log file access. Such a development comes amid recent targeting of vulnerable LiteSpeed Cache instances, with the critical unauthenticated privilege escalation bug, tracked as CVE-2024-28000, reported to have been exploited by several threat actors hours after its disclosure two weeks ago.
Attackers have also launched attacks aimed at compromising sites with LiteSpeed Cache implementations impacted by the unauthenticated cross-site scripting flaw, tracked as CVE-2023-40000, in May.