A fresh high-severity security vulnerability has been found in the WordPress plugin LiteSpeed Cache, which, in some scenarios, might allow malevolent actors to run any JavaScript code.
The vulnerability, identified as CVE-2024-47374 (CVSS score: 7.2), affects all versions of the plugin, including 6.5.0.2. It is classified as a stored cross-site scripting (XSS) vulnerability.
On September 25, 2024, it was fixed in version 6.5.1 after TaiYou, a researcher with the Patchstack Alliance, made a responsible disclosure.
“It could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request,” Patchstack reported.
The vulnerability arises from the way the plugin parses the value of the “X-LSCACHE-VARY-VALUE” HTTP header without performing sufficient sanitization or output escaping, which leaves open the possibility of arbitrary web script injection.
That being said, it’s important to note that the exploit cannot succeed unless the Page Optimization parameters “CSS Combine” and “Generate UCSS” are enabled.
These vulnerabilities, also known as persistent cross-site scripting attacks, allow an injected script to be stored on the target website’s servers indefinitely. Examples of these servers include databases, message boards, traffic logs, and comments.
This means that each time a gullible website visitor lands on the requested resource—for example, the page with the carefully worded comment—the malicious code encoded in the script is triggered.
Stored cross-site scripting (XSS) attacks carry potentially dangerous ramifications since they can be used as a weapon to distribute browser-based exploits, steal confidential data, or even take control of an authenticated user’s session and carry out actions on their behalf.
The most dangerous situation is when a threat actor gains total control of the website and launches even more potent attacks because the compromised user account belongs to the site administrator.
Cybercriminals often use WordPress plug-ins and themes as a means of infiltrating reputable websites. Because LiteSpeed Cache has more than six million active installations, vulnerabilities in the plugin present an attractive target for nefarious operations.
The most recent patch was released over a month after another vulnerability (CVE-2024-44000, CVSS score: 7.5) that might have let unauthorized users take over accounts was fixed by the plugin developers.
It also comes after a significant SQL injection hole in the TI WooCommerce Wishlist plugin was discovered. This flaw (CVE-2024-43917, CVSS score: 9.8) allows any user to run arbitrary SQL queries in the WordPress site’s database if it is successfully exploited.
The Jupiter X Core WordPress plugin (CVE-2024-7772, CVSS score: 9.8) has another serious security flaw that could allow remote code execution by enabling unauthorized users to upload any file to the site’s server.