High-Risk Flaw in WordPress LiteSpeed Cache Plugin Could Lead to Site Takeover

October 5, 2024

A serious vulnerability, identified as CVE-2024-47374, has been discovered in the LiteSpeed Cache plugin for WordPress, potentially enabling attackers to execute arbitrary JavaScript. The flaw is a stored XSS issue, affecting versions up to 6.5.0.2. The plugin, which has over six million active installations, offers server-level caching and optimization features, and supports WordPress Multisite and popular plugins like WooCommerce, bbPress, and Yoast SEO. The flaw was initially reported by TaiYou to the Patchstack bug bounty program for WordPress.

The advisory released by Patchstack states, “This plugin suffers from unauthenticated stored XSS vulnerability. It could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request.” The vulnerability stems from improper sanitization of the “X-LSCACHE-VARY-VALUE” HTTP header, which can lead to arbitrary script injection. The vulnerability can be exploited only if the “CSS Combine” and “Generate UCSS” settings are enabled. If exploited, an attacker could potentially hijack the account of a site administrator and gain full control of the website. The issue was addressed in version 6.5.1 on September 25, 2024.

A particularly damaging scenario would be if the hijacked account belongs to a site administrator, which would allow an attacker to take complete control of the website and launch even more potent attacks. The report concludes by recommending, “We recommend applying escaping and sanitization to any message that will be displayed as an admin notice. Depending on the context of the data, we recommend using sanitize_text_field to sanitize value for HTML output (outside of HTML attribute) or esc_html. For escaping values inside of attributes, you can use the esc_attr function.” It also advises applying a proper permission or authorization check to the registered rest route endpoints.

Earlier in September, the developer behind the LiteSpeed Cache plugin addressed another unauthenticated account takeover vulnerability, tracked as CVE-2024-44000 (CVSS score: 7.5), that can allow any visitor to gain access to logged-in users and potentially escalate privileges to the Administrator level. This vulnerability could be exploited by an attacker to upload malicious plugins. The flaw originates from an HTTP response header leak that exposed “Set-Cookie” headers in a debug log file (/wp-content/debug.log) following login attempts. An unauthenticated attacker could view sensitive information, including user cookie data from HTTP response headers, potentially enabling them to log in using any valid session. However, the flaw can only be exploited if the WordPress site’s debug feature is enabled, which is disabled by default. The vulnerability CVE-2024-44000 impacts versions before and including 6.4.1. This issue has been addressed in version 6.5.0.1.

Latest News

• Apple Patches Two New iOS Security Vulnerabilities: CVE-2024-44204 and CVE-2024-44207
• CosmicSting Attacks Compromise Over 4,000 Adobe Commerce and Magento Stores
• Cloudflare Successfully Thwarts Record-Breaking 3.8 Tbps DDoS Attack
• Pervasive 'perfctl' Fileless Malware Threatens Millions of Linux Servers Globally
• Critical Ivanti Vulnerability Actively Exploited, CISA Issues Warning