The widely-used LiteSpeed WordPress plugin has addressed a security flaw that jeopardized the security of more than 4 million websites, allowing cybercriminals to upload harmful scripts.

LiteSpeed became aware of this vulnerability on August 14th, two months prior to the patch release in October.

Wordfence uncovered a Cross-Site Scripting (XSS) vulnerability in the LiteSpeed plugin, which is renowned as the most popular caching plugin for WordPress. XSS vulnerabilities typically exploit the absence of a security practice known as data sanitization and escaping.

The vulnerability in LiteSpeed stemmed from the implementation of the shortcode functionality, enabling malicious hackers to upload scripts that could have been blocked if proper security measures such as data sanitization and escaping had been in place.

The sanitization security practice, as explained on the WordPress developer page, involves checking and securing input data from various sources, including users and third-party sites, to ensure it is safe to use. However, escaping data is the process of securing output data by removing unwanted elements, like malformed HTML or script tags, before rendering it for the end user.

This specific vulnerability demands that the attacker first acquire contributor-level permissions to execute the attack, making it more complex than other unauthenticated threats that don’t require any specific permission level.

According to Wordfence:

“Such an attack enables malicious actors to execute stored XSS attacks. Each time a user accesses the affected page, the injected script will execute.

While this vulnerability necessitates compromising a trusted contributor account or allowing a user to register as a contributor, successful attackers could potentially steal sensitive data, manipulate site content, inject administrative users, modify files, or redirect users to malicious websites, all of which have serious implications.”

If you are using LiteSpeed Cache, it’s important to note that versions 5.6 or older of the LiteSpeed Cache plugin are susceptible to the XSS attack.