A serious new security flaw has been discovered in the LiteSpeed Cache plugin for WordPress that could allow attackers to execute arbitrary JavaScript code under certain conditions.
Drawback tracked as CVE-2024-47374 (CVSS score: 7.2), was described as a conserved intersite script (XSS) vulnerability that affects all versions of the plugin up to and including 6.5.0.2.
This was addressed in version 6.5.1 on September 25, 2024 after responsible disclosure by Patchstack Alliance researcher TaiYou.
“This could allow any unauthenticated user to steal sensitive information before, in this case, escalating privileges on a WordPress site by making a single HTTP request,” Patchstack said. said in the report.
The flaw stems from the way the plugin’s “X-LSCACHE-VARY-VALUE” HTTP header value is parsed without properly sanitizing and escaping the output, allowing the injection of arbitrary web scripts.
However, it should be noted that the “CSS Combine” and “Generate UCSS” page optimization settings are required for the exploit to be successful.
Such vulnerabilities, also called persistent XSS attacks, allow an embedded script to be permanently stored on a target website’s servers, such as in a database, message forum, visitor log, or comments.
This causes the malicious code embedded in the script to be executed whenever an unsuspecting visitor lands on a requested resource, such as a web page containing a specially crafted comment.
Persistent XSS attacks can have serious consequences as they can be used as a weapon to create browser-based exploits, steal sensitive information, or even hijack an authenticated user’s session and perform actions on their behalf.
The most damaging scenario is when the hijacked user account is a site administrator account, allowing the threat actor to take full control of the website and launch even more powerful attacks.
WordPress plugins and themes are a popular way for cybercriminals to compromise legitimate websites. Since LiteSpeed Cache boasts more than six million active installations, the plugin’s flaws create a profitable surface for opportunistic attacks.
The latest patch came almost a month after the plugin developers addressed another flaw (CVE-2024-44000, CVSS score: 7.5) that could allow unauthenticated users to take control of arbitrary accounts.
It also follows from disclosure unpatched critical SQL injection flaw in the TI WooCommerce Wishlist plugin (CVE-2024-43917, CVSS score: 9.8), which, if successfully exploited, allows any user to execute arbitrary SQL queries against a WordPress site’s database.
Another critical vulnerability concerns the Jupiter X Core WordPress plugin (CVE-2024-7772, CVSS Score: 9.8), which allows unauthenticated attackers to upload arbitrary files to a compromised site’s server, potentially leading to remote code execution.
This was fixed in version 4.7.8, along with a high-severity authentication bypass bug (CVE-2024-7781, CVSS score: 8.1) that “allows an unauthenticated attacker to log in as the first user logged in with social media accounts, including admin accounts,” Wordfence said.
