Security Vulnerability in WordPress LiteSpeed Cache Plugin Puts Websites at Risk of XSS Attacks
An identified high-risk security loophole has been disclosed in the LiteSpeed Cache plugin for WordPress, which could potentially allow malicious individuals to execute unauthorized JavaScript code under specific circumstances.
The vulnerability, marked as CVE-2024-47374 (CVSS rating: 7.2), has been tagged as a stored cross-site scripting (XSS) flaw affecting all plugin versions up to and including 6.5.0.2.
Version 6.5.1, released on September 25, 2024, remedied this issue after it was responsibly disclosed by security researcher TaiYou from Patchstack Alliance.
According to a report by Patchstack, “This could potentially permit an unauthorized user to steal sensitive data or, in this instance, escalate privileges on the WordPress site with just one HTTP request.”
The vulnerability originates from how the plugin handles the parsing of the “X-LSCACHE-VARY-VALUE” HTTP header value without the proper sanitization and output escaping procedures, thereby opening up the opportunity for injecting arbitrary web scripts.
However, it’s crucial to note that for the exploit to work effectively, the Page Optimization settings “CSS Combine” and “Generate UCSS” must be activated.
Known as persistent XSS attacks, these susceptibilities enable the storage of an injected script permanently on the target website’s servers, such as in a database, forum message, visitor log, or comment entry.
This enables the malicious code embedded within the script to run whenever an unsuspecting visitor accesses the relevant resource, like the web page containing the specially crafted comment.
Stored XSS attacks can have severe ramifications as they can be utilized to propagate browser-based attacks, pilfer sensitive data, or take over an authenticated user’s session to conduct actions on their behalf.
Of utmost concern is when the compromised user account belongs to a site administrator, granting threat actors complete control over the website and opportunities for more potent attacks.
WordPress plugins and themes are common targets for cybercriminals seeking to compromise legitimate sites. With over six million active installations, vulnerabilities in the LiteSpeed Cache plugin present an attractive attack surface for opportunistic cyberattacks.
The most recent patch arrives approximately a month after the plugin developers resolved another flaw (CVE-2024-44000, CVSS score: 7.5) that could enable unauthorized users to seize control of arbitrary accounts.
It follows the exposure of an unaddressed critical SQL injection vulnerability in the TI WooCommerce Wishlist plugin (CVE-2024-43917, CVSS score: 9.8), which, if exploited successfully, grants any user the ability to execute arbitrary SQL queries in the WordPress site’s database.
Also concerning is a critical security flaw in the Jupiter X Core WordPress plugin (CVE-2024-7772, CVSS score: 9.8), allowing unauthenticated attackers to upload arbitrary files to the affected site’s server, potentially leading to remote code execution.
This issue has been rectified in version 4.7.8, alongside a high-risk authentication bypass vulnerability (CVE-2024-7781, CVSS score: 8.1) that “permits unauthenticated attackers to log in as the initial user who logged in with a social media account, including administrator accounts,” as indicated by Wordfence stated.
About Author
