The LiteSpeed Cache plugin for WordPress [1] [3], with over six million active installations [1] [3], has been found to have a critical security flaw that allows attackers to gain full control without authentication.
Description
This vulnerability, identified as CVE-2024-47374 by TaiYou from Patchstack’s bug bounty program [3], stems from a defect in the plugin’s “role simulation” feature [2]. Attackers can exploit this flaw to obtain administrative access, potentially leading to the installation of malicious plugins, data theft [3], or site redirection. Additionally, an unauthenticated stored XSS issue has been discovered, which enables attackers to inject malicious code into websites through the plugin’s “Vary Group” functionality. By manipulating specially crafted HTTP headers, harmful content can be injected into the WordPress admin panel. To exploit this vulnerability [1], the plugin settings for CSS Combine and Generate UCSS must be enabled. LiteSpeed has released version 6.5.1 to address these vulnerabilities [3], implementing proper input sanitization to prevent code injection [3]. Website administrators are strongly advised to update to the latest version to protect their sites from potential attacks [3]. Regular audits of plugin settings and configurations [2], as well as disabling debugging, are recommended security measures.
Conclusion
Website administrators should promptly update to version 6.5.1 of the LiteSpeed Cache plugin to mitigate the security risks posed by the identified vulnerabilities. By implementing proper input sanitization [3], LiteSpeed aims to prevent unauthorized access and code injection. Ongoing vigilance, regular audits [2], and adherence to security best practices are essential to safeguarding WordPress websites against potential threats.
References
[1] https://patchstack.com/articles/unauthenticated-stored-xss-vulnerability-in-litespeed-cache-plugin-affecting-6-million-sites/
[2] https://technologytimes.ng/nigeria-warns-of-wordpress-litespeed-cache-flaw/
[3] https://www.infosecurity-magazine.com/news/litespeed-cache-plugin-flaw-allows/