The widely-used LiteSpeed WordPress plugin has addressed a security flaw that jeopardized the security of more than 4 million websites, allowing cybercriminals to upload harmful scripts.
This vulnerability came to the attention of LiteSpeed on August 14th, two months before the release of a patch in October.
The issue at hand is a Cross-Site Scripting (XSS) vulnerability that was uncovered by Wordfence in the LiteSpeed plugin, renowned as the most popular caching plugin for WordPress. XSS vulnerabilities typically exploit the absence of a security practice known as data sanitization and escaping.
Data sanitization is a method that filters the types of files that can be uploaded through legitimate inputs, such as contact forms.
In the particular LiteSpeed vulnerability, the implementation of shortcode functionality allowed malicious hackers to upload scripts that would have been blocked had proper security measures like data sanitization and escaping been in place.
The sanitization security practice, as explained on the WordPress developer page, involves checking and securing input data from various sources, including users and third-party sites, to ensure it is safe to use. On the other hand, escaping data is the process of securing output data by removing unwanted elements, like malformed HTML or script tags, before rendering it for the end user.
This specific vulnerability demands that the attacker first acquire contributor-level permissions to execute the attack, making it more complex than other unauthenticated threats that don’t require any specific permission level.
According to Wordfence:
“Such an attack enables malicious actors to execute stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page.
While this vulnerability necessitates compromising a trusted contributor account or allowing a user to register as a contributor, successful attackers could potentially steal sensitive data, manipulate site content, inject administrative users, modify files, or redirect users to malicious websites, all of which have serious implications.”
If you are using LiteSpeed Cache, it’s important to note that versions 5.6 or older of the LiteSpeed Cache plugin are susceptible to the XSS attack. Users are strongly advised to promptly update their plugin to the latest version, 5.7, which was made available on October 10, 2023.