cbcvebase.
CVE-2024-44000
published 2024-10-20

CVE-2024-44000: Insufficiently Protected Credentials vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Authentication Bypass.This issue affects…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
83.18%
99.6th percentile
Insufficiently Protected Credentials vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Authentication Bypass.This issue affects LiteSpeed Cache: from n/a through < 6.5.0.1.

Affected

2 ranges
VendorProductVersion rangeFixed in
litespeed_technologieslitespeed_cache<= 6.5.0.1
litespeedtechlitespeed_cache< 6.5.0.16.5.0.1

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/debug.log
path/wp-content/litespeed/debug/
url/wp-content/debug.log
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wordpress LiteSpeed Cache Plugin debug.log Access Attempt (CVE-2024-44000)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:21; content:"/wp-content/debug.log"; fast_pattern; threshold:type limit, seconds 180, count 1, track by_src; reference:url,attackerkb.com/topics/MmIKD2VSsv/cve-2024-44000; reference:cve,2024-44000; classtype:credential-theft; sid:2056027; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_09_20, cve CVE_2024_44000, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_25; target:dest_ip;)
yara
regex: (wordpress(_logged_in)?_[a-f0-9]{32}=[^;]+) in HTTP response body with content-type text/plain at path /wp-content/debug.log
  • Monitor for unauthenticated HTTP GET requests to /wp-content/debug.log (exact URI length 21 bytes). This is the primary exploitation vector for CVE-2024-44000.
  • Alert on HTTP 200 responses to /wp-content/debug.log with content-type text/plain containing WordPress session cookie patterns (wordpress_logged_in_<hex32>).
  • The debug log file publicly exposes Set-Cookie headers including session cookies. If the log is accessible, any user who logged in while debug was active may have their cookie exposed — including admins.
  • Post-exploitation: watch for admin-level WordPress logins (wp-admin access) immediately following a GET to /wp-content/debug.log from the same source IP, indicating cookie replay.
  • The Metasploit module for this CVE (wp_litespeed_cookie_theft) steals admin cookies from the debug log and then uploads and executes a malicious plugin. Detect plugin upload activity following debug.log access.
  • Check WordPress installations for the presence of a publicly readable /wp-content/debug.log file. The LiteSpeed Cache debug feature is disabled by default but may have been enabled historically, leaving stale logs with valid cookies.
  • ·The vulnerability is only exploitable if the LiteSpeed Cache debug logging feature was previously or currently enabled. It is disabled by default, so sites that never enabled it are not at risk.
  • ·Even after patching to 6.5.0.1, old debug.log files containing session cookies may still exist at /wp-content/debug.log and remain exploitable. Operators must manually purge these files.
  • ·The patched version randomizes log filenames under /wp-content/litespeed/debug/, but randomized names may still be guessable via brute force. An .htaccess deny rule for the log directory is recommended as an additional control.
  • ·Only session cookies of users who logged in while the debug feature was active are exposed. However, if logs are kept indefinitely, historical login events (including admin logins) may still be present.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.