A recently uncovered, high-severity security vulnerability in the LiteSpeed Cache plugin for WordPress has raised alarms, as it may permit nefarious individuals to execute arbitrary JavaScript code under specific circumstances.
This vulnerability, cataloged as CVE-2024-47374 (with a CVSS score of 7.2), is characterized as a stored cross-site scripting (XSS) weakness that affects all versions of the plugin up to and including 6.5.0.2.
The issue was rectified in version 6.5.1 on September 25, 2024, following a responsible disclosure by TaiYou, a researcher affiliated with Patchstack Alliance.
According to Patchstack, “It could allow any unauthenticated user to steal sensitive information and, in this case, escalate privileges on the WordPress site by executing a single HTTP request.”
The vulnerability arises from how the plugin processes the “X-LSCACHE-VARY-VALUE” HTTP header value, lacking sufficient sanitization and output escaping, thus enabling the injection of arbitrary web scripts.
It’s crucial to note that the Page Optimization settings “CSS Combine” and “Generate UCSS” must be activated for the exploit to be successfully executed.
Referred to as persistent XSS attacks, these vulnerabilities enable an injected script to be stored permanently on the targeted website’s servers, including in a database, message forums, visitor logs, or comments.
This leads to the execution of the malicious code embedded within the script every time an unsuspecting visitor accesses the relevant resource, such as a web page featuring the specially crafted comment.
Stored XSS attacks can have severe ramifications, as they can be weaponized to launch browser-based exploits, pilfer sensitive information, or even hijack the session of an authenticated user to perform actions on their behalf.
The most catastrophic scenario occurs when the compromised user account belongs to a site administrator, granting a malicious actor complete control over the website and the ability to orchestrate even more potent attacks.
WordPress plugins and themes serve as a favored target for cybercriminals intent on infiltrating legitimate websites. With LiteSpeed Cache boasting over six million active installations, vulnerabilities in the plugin present an enticing attack surface for opportunistic threats.
The latest patch emerges nearly a month after the plugin developers resolved another vulnerability (CVE-2024-44000, CVSS score: 7.5) that could empower unauthenticated users to seize control of arbitrary accounts.
This comes on the heels of disclosing a critical, unpatched SQL injection vulnerability in the TI WooCommerce Wishlist plugin (CVE-2024-43917, CVSS score: 9.8) that, if exploited, allows any user to execute arbitrary SQL queries within the WordPress site’s database.
Another alarming security flaw pertains to the Jupiter X Core WordPress plugin (CVE-2024-7772, CVSS score: 9.8), which enables unauthenticated attackers to upload arbitrary files to the affected site’s server, potentially leading to remote code execution.
This vulnerability has been resolved in version 4.7.8, alongside a high-severity authentication bypass flaw (CVE-2024-7781, CVSS score: 8.1), which “enables unauthenticated attackers to log in as the first user who logged in via a social media account, including administrator accounts,” according to Wordfence.
