Which LiteSpeed Cache versions are affected?

Two relevant bugs in 2024. CVE-2024-44000 (disclosed September 2024) affected installations whose debug log contained session cookies, exposing account-takeover information if the log was reachable from the web. CVE-2024-50550 (disclosed October 2024) was an unauthenticated privilege-escalation via the role-simulation feature, patched in version 6.5.2.

How serious was the exploitation?

Both bugs received public proof-of-concept code within days. LiteSpeed Cache has roughly five million installs, so the absolute number of vulnerable sites was very large even though only a fraction were actively exploited. Sites that did not auto-update through the patch window are at higher risk.

Is my debug log a problem?

If you ever enabled LiteSpeed Cache debugging and the resulting log file was publicly readable, it may have contained session-cookie hashes that an attacker could use to authenticate as a real user. Disable debug, delete the log file, and rotate sessions. I do this as part of every cleanup involving LiteSpeed Cache.

I patched and the site looks fine. Do I still need a cleanup?

Only you can answer that for sure. If the site was vulnerable during the exploit window and you have no logs proving it wasn't reached, a forensic review is the only way to be sure no persistence was planted. Patching closes the door — it doesn't tell you who already walked through it.

CVE-2024-50550 · CVE-2024-44000 · 5M installs

LiteSpeed Cache compromise cleanup.

Two critical LiteSpeed Cache bugs in 2024 — unauth privilege escalation and session-hash leak. Five million installs. If yours was on a vulnerable version during the disclosure window, you need a forensic look. Flat $279.

Start a cleanup About the bugs

Two bugs, both bad

What was vulnerable, what attackers did with it.

CVE-2024-44000 — the LiteSpeed Cache debug log captured the wordpress_logged_in cookie. If debug was enabled and the log file was reachable from the web, an attacker could lift session hashes and authenticate as any logged-in user, including administrators. Patched in 6.5.0.1.

CVE-2024-50550 — an unauthenticated privilege-escalation in the role-simulation feature used for crawler simulation. A weak hash allowed unauthenticated visitors to forge a session for any user ID. Patched in 6.5.2.

Indicators

What I look at.

Debug log
wp-content/litespeed/debug.log or any *.log under wp-content/litespeed/. Anything web-readable. If present and ever exposed, treat sessions as leaked.
Role sim
wp_options entries with role-simulation hashes, and POSTs to LiteSpeed Cache REST endpoints from unfamiliar IPs in October 2024 onward.
Users
New administrators created during the disclosure window. Sessions issued for admin users from unfamiliar geographies.
Files
Recently-modified plugin/theme PHP files, fresh PHP in uploads, new mu-plugins.

Pricing

Cleanup

$279

flat, one-time, per site

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup

Monitoring

$29 / mo

per site, cancel any time

Continuous monitoring, hardening, one cleanup per year included.

Get protected

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Email [email protected] or use the contact form.