Overview of the LiteSpeed Cache Plugin Issue

A serious security flaw has been found in the LiteSpeed Cache plugin for WordPress, which could allow hackers to run harmful JavaScript code under certain conditions. This vulnerability, labeled as CVE-2024-47374, has a CVSS score of 7.2 and is classified as a stored cross-site scripting (XSS) vulnerability. It impacts all plugin versions up to and including 6.5.0.2.

Thanks to researcher TaiYou from the PatchStack Alliance, the issue was disclosed responsibly and fixed in version 6.5.1 on September 25, 2024.

How the Exploit Works

According to a report from Patchstack, this vulnerability can let attackers perform harmful actions like stealing sensitive data or even gaining higher access on a WordPress site with just one HTTP request.

The problem arises because the plugin doesn’t correctly sanitize or escape the “X-LSCACHE-VARY-VALUE” HTTP header value, which allows attackers to inject harmful web scripts into the system.

Conditions Required for the Exploit

For this exploit to work, certain settings in the Page Optimization section, such as “CSS Combine” and “Generate UCSS”, must be enabled.

What Is a Stored Cross-Site Scripting Attack?

Stored cross-site scripting (XSS) attacks allow attackers to store malicious scripts on a targeted website. These scripts can be saved in various places, such as databases, forums, visitor logs, or even comment sections.

Once the malicious script is injected, it runs every time an unsuspecting user visits the webpage where the harmful code is hidden. This makes stored XSS attacks especially dangerous.

Potential Consequences of the Vulnerability

Such attacks can have severe consequences, including:

• Spreading browser-based malware
• Stealing sensitive data
• Hijacking user sessions to perform actions as the user

In the worst-case scenario, if an admin account is compromised, the hacker can completely take over the website and cause even more damage.

Widespread Impact of LiteSpeed Cache Vulnerability

WordPress plugins and themes are frequent targets for hackers, and LiteSpeed Cache, with over six million active installations, presents a large attack surface. Opportunistic hackers could exploit this vulnerability on a massive scale.

Other Vulnerabilities Recently Patched

In addition to CVE-2024-47374, another vulnerability, CVE-2024-44000 with a CVSS score of 7.5, has also been addressed. This issue could have allowed attackers to take over accounts without logging in.

Furthermore, there are other notable vulnerabilities across WordPress plugins, such as:

• CVE-2024-43917 in the TI WooCommerce Wishlist plugin, an unpatched SQL injection flaw (CVSS score: 9.8), which could allow hackers to run any SQL queries on the site.
• CVE-2024-7772 in the Jupiter X Core WordPress plugin, where attackers could upload harmful files to the server, leading to potential remote code execution.

Both vulnerabilities were fixed in version 4.7.8 of the Jupiter X Core plugin, along with another authentication bypass flaw (CVE-2024-7781, CVSS score: 8.1), which allowed attackers to log in as the first social media user, even admin accounts.

Final Thoughts

WordPress users should immediately update their LiteSpeed Cache plugin to version 6.5.1 or later to avoid being impacted by this serious security flaw. Keep all plugins up-to-date to protect your website from these types of vulnerabilities.

Make sure to disable any unnecessary settings like “CSS Combine” and “Generate UCSS” in your Page Optimization options until you can install the update.

By staying proactive, WordPress administrators can significantly reduce the risk of these vulnerabilities being exploited.