The widely-used LiteSpeed WordPress plugin has addressed a security flaw that jeopardized the security of more than 4 million websites, allowing cybercriminals to upload harmful scripts.
LiteSpeed became aware of this vulnerability on August 14th, two months prior to the patch release in October.
Wordfence uncovered a Cross-Site Scripting (XSS) vulnerability in the LiteSpeed plugin, which is renowned as the most popular caching plugin for WordPress. XSS vulnerabilities typically exploit the absence of a security practice known as data sanitization and escaping.
The vulnerability in LiteSpeed stemmed from the implementation of the shortcode functionality, enabling malicious hackers to upload scripts that could have been blocked if proper security measures such as data sanitization and escaping had been in place.
This specific vulnerability demands that the attacker first acquire contributor-level permissions to execute the attack, making it more complex than other unauthenticated threats that don’t require any specific permission level.
According to Wordfence:
“Such an attack enables malicious actors to execute stored XSS attacks. Each time a user accesses the affected page, the injected script will execute.
While this vulnerability necessitates compromising a trusted contributor account or allowing a user to register as a contributor, successful attackers could potentially steal sensitive data, manipulate site content, inject administrative users, modify files, or redirect users to malicious websites, all of which have serious implications.”
If you are using LiteSpeed Cache, it’s important to note that versions 5.6 or older of the LiteSpeed Cache plugin are susceptible to the XSS attack.