CVE-2024-44000
published 2024-10-20CVE-2024-44000: Insufficiently Protected Credentials vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Authentication Bypass.This issue affects…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
83.18%
99.6th percentile
Insufficiently Protected Credentials vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Authentication Bypass.This issue affects LiteSpeed Cache: from n/a through < 6.5.0.1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| litespeed_technologies | litespeed_cache | <= 6.5.0.1 | — |
| litespeedtech | litespeed_cache | < 6.5.0.1 | 6.5.0.1 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wordpress LiteSpeed Cache Plugin debug.log Access Attempt (CVE-2024-44000)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:21; content:"/wp-content/debug.log"; fast_pattern; threshold:type limit, seconds 180, count 1, track by_src; reference:url,attackerkb.com/topics/MmIKD2VSsv/cve-2024-44000; reference:cve,2024-44000; classtype:credential-theft; sid:2056027; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_09_20, cve CVE_2024_44000, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_25; target:dest_ip;)
yara
regex: (wordpress(_logged_in)?_[a-f0-9]{32}=[^;]+) in HTTP response body with content-type text/plain at path /wp-content/debug.log- →Monitor for unauthenticated HTTP GET requests to /wp-content/debug.log (exact URI length 21 bytes). This is the primary exploitation vector for CVE-2024-44000. ↗
- →Alert on HTTP 200 responses to /wp-content/debug.log with content-type text/plain containing WordPress session cookie patterns (wordpress_logged_in_<hex32>). ↗
- →The debug log file publicly exposes Set-Cookie headers including session cookies. If the log is accessible, any user who logged in while debug was active may have their cookie exposed — including admins. ↗
- →Post-exploitation: watch for admin-level WordPress logins (wp-admin access) immediately following a GET to /wp-content/debug.log from the same source IP, indicating cookie replay. ↗
- →The Metasploit module for this CVE (wp_litespeed_cookie_theft) steals admin cookies from the debug log and then uploads and executes a malicious plugin. Detect plugin upload activity following debug.log access. ↗
- →Check WordPress installations for the presence of a publicly readable /wp-content/debug.log file. The LiteSpeed Cache debug feature is disabled by default but may have been enabled historically, leaving stale logs with valid cookies. ↗
- ·The vulnerability is only exploitable if the LiteSpeed Cache debug logging feature was previously or currently enabled. It is disabled by default, so sites that never enabled it are not at risk. ↗
- ·Even after patching to 6.5.0.1, old debug.log files containing session cookies may still exist at /wp-content/debug.log and remain exploitable. Operators must manually purge these files. ↗
- ·The patched version randomizes log filenames under /wp-content/litespeed/debug/, but randomized names may still be guessable via brute force. An .htaccess deny rule for the log directory is recommended as an additional control. ↗
- ·Only session cookies of users who logged in while the debug feature was active are exposed. However, if logs are kept indefinitely, historical login events (including admin logins) may still be present. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rh5m-mw2h-v9rv: Insufficiently Protected Credentials vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Authentication Bypass
ghsa_unreviewed·2024-10-20
CVE-2024-44000 [CRITICAL] CWE-522 GHSA-rh5m-mw2h-v9rv: Insufficiently Protected Credentials vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Authentication Bypass
Insufficiently Protected Credentials vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Authentication Bypass.This issue affects LiteSpeed Cache: from n/a before 6.5.0.1.
VulnCheck
LiteSpeed Technologies LiteSpeed Cache Insufficiently Protected Credentials
vulncheck·2024·CVSS 9.8
CVE-2024-44000 [CRITICAL] LiteSpeed Technologies LiteSpeed Cache Insufficiently Protected Credentials
LiteSpeed Technologies LiteSpeed Cache Insufficiently Protected Credentials
Insufficiently Protected Credentials vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Authentication Bypass.This issue affects LiteSpeed Cache: from n/a through < 6.5.0.1.
Affected: LiteSpeed Technologies LiteSpeed Cache
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://info.greynoise.io/hubfs/resources/GreyNoise-2025-Mass-Internet-Exploitation-Report.pdf; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2024-44000&date=2025-10-16; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2024-44000&date=2025-10-17; https://api.
Suricata
ET WEB_SPECIFIC_APPS Wordpress LiteSpeed Cache Plugin debug.log Access Attempt (CVE-2024-44000)
suricata·2024-09-20·CVSS 9.8
CVE-2024-44000 [CRITICAL] ET WEB_SPECIFIC_APPS Wordpress LiteSpeed Cache Plugin debug.log Access Attempt (CVE-2024-44000)
ET WEB_SPECIFIC_APPS Wordpress LiteSpeed Cache Plugin debug.log Access Attempt (CVE-2024-44000)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wordpress LiteSpeed Cache Plugin debug.log Access Attempt (CVE-2024-44000)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:21; content:"/wp-content/debug.log"; fast_pattern; threshold:type limit, seconds 180, count 1, track by_src; reference:url,attackerkb.com/topics/MmIKD2VSsv/cve-2024-44000; reference:cve,2024-44000; classtype:credential-theft; sid:2056027; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_09_20, cve CVE_2024_44000, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence Hi
Exploit-DB
Litespeed Cache 6.5.0.1 - Authentication Bypass
exploitdb·2025-03-28·CVSS 9.8
CVE-2024-44000 [CRITICAL] Litespeed Cache 6.5.0.1 - Authentication Bypass
Litespeed Cache 6.5.0.1 - Authentication Bypass
---
# Exploit Title: Litespeed Cache 6.5.0.1 - Authentication Bypass
# Google Dork: [if applicable]
# Date: reported on 17 September 2024
# Exploit Author: Gnzls
# Vendor Homepage: https://www.litespeedtech.com/
# Software Link: https://github.com/gbrsh/CVE-2024-44000?tab=readme-ov-file
# Version: 6.5.0.1
# Tested on: macOS M2 pro
# CVE : CVE-2024-44000
import re
import sys
import requests
import argparse
from urllib.parse import urljoin
def extract_latest_cookies(log_content):
user_cookies = {}
pattern_cookie = re.compile(r'Cookie:\s.*?wordpress_logged_in_[^=]+=(.*?)%')
for line in log_content.splitlines():
cookie_match = pattern_cookie.search(line)
if cookie_match:
username = cookie_match.group(1)
user_cookies[username] = line
retu
Nuclei
LiteSpeed Cache <= 6.4.1 - Sensitive Information Exposure
nuclei·CVSS 9.8
CVE-2024-44000 [CRITICAL] LiteSpeed Cache <= 6.4.1 - Sensitive Information Exposure
LiteSpeed Cache <= 6.4.1 - Sensitive Information Exposure
The LiteSpeed Cache plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.4.1 through the debug.log file that is publicly exposed. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log file. The log file may contain user cookies making it possible for an attacker to log in with any session that is actively valid and exposed in the log file. Note: the debug feature must be enabled for this to be a concern and this feature is disabled by default.
Template:
id: CVE-2024-44000
info:
name: LiteSpeed Cache <= 6.4.1 - Sensitive Information Exposure
author: s4e-io
severity: high
description: |
The LiteSpeed Cache
Metasploit
Wordpress LiteSpeed Cache plugin cookie theft
metasploit
Wordpress LiteSpeed Cache plugin cookie theft
Wordpress LiteSpeed Cache plugin cookie theft
This module exploits an unauthenticated account takeover vulnerability in LiteSpeed Cache, a Wordpress plugin that currently has around 6 million active installations. In LiteSpeed Cache versions prior to 6.5.0.1, when the Debug Logging feature is enabled, the plugin will log admin cookies to the /wp-content/debug.log endpoint which is accessible without authentication. The Debug Logging feature in the plugin is not enabled by default. The admin cookies found in the debug.log can be used to upload and execute a malicious plugin containing a payload.
Bleepingcomputer
LiteSpeed Cache WordPress plugin bug lets hackers get admin access
blogs_bleepingcomputer·2024-10-31·CVSS 9.8
CVE-2024-50550 [CRITICAL] LiteSpeed Cache WordPress plugin bug lets hackers get admin access
## LiteSpeed Cache WordPress plugin bug lets hackers get admin access
## Bill Toulas
The free version of the popular WordPress plugin LiteSpeed Cache has fixed a dangerous privilege elevation flaw on its latest release that could allow unauthenticated site visitors to gain admin rights.
LiteSpeed Cache is a caching plugin used by over six million WordPress sites, helping to speed up and improve user browsing experience.
The newly discovered high-severity flaw tracked as CVE-2024-50550 is caused by a weak hash check in the plugin's "role simulation" feature, designed to simulate user roles to aid the crawler in site scans from different user levels.
The feature's function ('is_role_simulation()') performs two primary checks using weak security hash values stored in cookies ('litespeed_
Bleepingcomputer
LiteSpeed Cache bug exposes 6 million WordPress sites to takeover attacks
blogs_bleepingcomputer·2024-09-05·CVSS 9.8
CVE-2024-44000 [CRITICAL] LiteSpeed Cache bug exposes 6 million WordPress sites to takeover attacks
## LiteSpeed Cache bug exposes 6 million WordPress sites to takeover attacks
## Bill Toulas
Yet, another critical severity vulnerability has been discovered in LiteSpeed Cache, a caching plugin for speeding up user browsing in over 6 million WordPress sites.
The flaw, tracked as CVE-2024-44000 and categorized as an unauthenticated account takeover issue, was discovered by Patchstack's Rafie Muhammad on August 22, 2024. A fix was made available yesterday with the release of LiteSpeed Cache version 6.5.0.1.
## Debug feature writes cookies to file
The vulnerability is tied to the plugin's debug logging feature, which logs all HTTP response headers into a file, including the "Set-Cookie" header, when enabled.
Those headers contain session cookies used to authenticate users, so if an atta
2024-10-20
Published
Exploited in the wild