CVE-2024-44000

CRITICAL EXPLOITED NUCLEI

LiteSpeed Cache < 6.5.0.1 - Unauthenticated Authentication Bypass via Insufficiently Protected Credentials

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2024-44000 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 6 public exploits from researchers including Caner Tercan, absholi7ly, geniuszly, including a Metasploit module exploits/multi/http/wp_litespeed_cookie_theft. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit extracts WordPress session cookies from a publicly accessible debug.log file, enabling authentication bypass by impersonating logged-in users. It leverages misconfigured logging to steal cookies and gain unauthorized access.

Description

Insufficiently Protected Credentials vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Authentication Bypass.This issue affects LiteSpeed Cache: from n/a through < 6.5.0.1.

Exploits (6)

exploitdb WORKING POC
by Caner Tercan · pythonwebappsphp
https://www.exploit-db.com/exploits/52099

This exploit extracts WordPress session cookies from a publicly accessible debug.log file, enabling authentication bypass by impersonating logged-in users. It leverages misconfigured logging to steal cookies and gain unauthorized access.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Litespeed Cache 6.5.0.1 (WordPress)
No auth needed
Prerequisites: Publicly accessible debug.log file · WordPress site with active user sessions
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 15 stars
by absholi7ly · remote
https://github.com/absholi7ly/CVE-2024-44000-LiteSpeed-Cache

This PoC exploits CVE-2024-44000 in the LiteSpeed Cache WordPress plugin by extracting session cookies from a publicly accessible debug.log file and using them to hijack admin sessions via crafted URLs.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: LiteSpeed Cache WordPress plugin
No auth needed
Prerequisites: Publicly accessible debug.log file containing session cookies · WordPress site with LiteSpeed Cache plugin installed
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 4 stars
by geniuszly · remote
https://github.com/geniuszly/CVE-2024-44000

This repository contains a functional Python script that exploits CVE-2024-44000 by extracting session cookies from exposed WordPress debug logs and attempting to hijack admin sessions. The tool automates the process of fetching logs, filtering session cookies, and testing them for admin access.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: WordPress (version not specified)
No auth needed
Prerequisites: Exposed WordPress debug logs (wp-content/debug.log) · Active admin sessions with cookies logged
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 3 stars
by ifqygazhar · remote
https://github.com/ifqygazhar/CVE-2024-44000-LiteSpeed-Cache

This repository contains a functional Python script that exploits CVE-2024-44000 in the LiteSpeed Cache WordPress plugin by extracting session cookies from exposed debug logs and attempting to hijack admin sessions. The script automates the process of accessing debug logs, parsing cookies, and testing them for admin access.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: LiteSpeed Cache WordPress plugin
No auth needed
Prerequisites: Exposed debug.log file · WordPress site with LiteSpeed Cache plugin installed
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by gbrsh · remote
https://github.com/gbrsh/CVE-2024-44000

This exploit targets CVE-2024-44000, an unauthorized account takeover vulnerability in LiteSpeed servers. It extracts WordPress user session cookies from exposed debug logs and allows impersonation of logged-in users.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: LiteSpeed Web Server (with WordPress)
No auth needed
Prerequisites: Exposed debug.log file at /wp-content/debug.log · Active WordPress sessions in the log
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Rafie Muhammad, jheysel-r7 · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_litespeed_cookie_theft.rb

This Metasploit module exploits an unauthenticated account takeover vulnerability in the LiteSpeed Cache WordPress plugin (CVE-2024-44000) by stealing admin cookies from the debug.log file when Debug Logging is enabled. It then uses the stolen cookies to upload and execute a malicious plugin for remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress LiteSpeed Cache plugin < 6.5.0.1
No auth needed
Prerequisites: Debug Logging feature enabled in LiteSpeed Cache plugin · Access to /wp-content/debug.log
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

LiteSpeed Cache <= 6.4.1 - Sensitive Information Exposure
HIGHVERIFIEDby s4e-io

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.8318
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2025-02-27
CWE
CWE-522
Status published
Products (2)
LiteSpeed Technologies/LiteSpeed Cache < 6.5.0.1
litespeedtech/litespeed_cache < 6.5.0.1
Published Oct 20, 2024
Tracked Since Feb 18, 2026