6 Million WordPress Sites at Risk from XSS Vulnerability in LiteSpeed Cache Plug-In

October 7, 2024

A major security flaw has been identified in the LiteSpeed Cache plug-in for WordPress, which is installed on more than 6 million sites. The vulnerability, a cross-site scripting (XSS) flaw, could allow attackers to escalate privileges and potentially inject malicious code, enabling redirects, ads, and other HTML payloads onto an affected website. The flaw was discovered by a security researcher known as TaiYou, who reported it to Patchstack through its Bug Bounty Program for WordPress.

The vulnerability, tracked as CVE-2024-47374, affects LiteSpeed Cache versions up to 6.5.0.2. The plug-in is described as an 'all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection of optimization features' and is compatible with popular WordPress plug-ins such as WooCommerce, bbPress, and Yoast SEO. Users are urged to update immediately to prevent potential attacks.

The flaw is an unauthenticated stored XSS vulnerability that could allow any unauthenticated user to steal sensitive information or escalate privileges on the WordPress site by performing a single HTTP request, according to Patchstack. XSS is a common and often exploited web vulnerability that allows an attacker to inject malicious code into a legitimate webpage or application.

TaiYou discovered three flaws in the plug-in, including another XSS flaw and a path-traversal vulnerability. However, only CVE-2024-47374 is considered dangerous and expected to be exploited by attackers, according to Patchstack. Upon notification, the developers of the LiteSpeed Cache plug-in quickly provided a patch for validation. Patchstack then released an update that fixes all three flaws in LiteSpeed Cache version 6.5.1.

CVE-2024-47374 is characterized as creating 'Improper Neutralization of Input During Web Page Generation.' The vulnerability occurs because the code that handles the view of a queue in a part of the plug-in does not implement sanitization and output escaping. This vulnerability is particularly concerning due to the widespread use of WordPress and its plug-ins, which provide a broad attack surface for threat actors.

The patch for CVE-2024-47374 is relatively straightforward, sanitizing the output using esc_html. Patchstack issued a virtual patch to block any attacks until users have updated to the fixed version. In the meantime, all administrators of WordPress sites using LiteSpeed Cache are advised to update to the fixed version 6.5.1 immediately. Patchstack also recommends that WordPress website developers apply escaping and sanitization to any message that will be displayed as an admin notice to mitigate the vulnerability.

Related News

• High-Risk Flaw in WordPress LiteSpeed Cache Plugin Could Lead to Site Takeover

Latest News

• Qualcomm Addresses High-Risk Zero-Day Vulnerability in DSP Service
• Chinese Hacking Group Breaches Major U.S. Broadband Providers
• High-Risk Flaw in WordPress LiteSpeed Cache Plugin Could Lead to Site Takeover
• Apple Patches Two New iOS Security Vulnerabilities: CVE-2024-44204 and CVE-2024-44207
• CosmicSting Attacks Compromise Over 4,000 Adobe Commerce and Magento Stores