The popular LiteSpeed WordPress plugin recently patched a significant vulnerability that threatened over 4 million websites, allowing hackers to upload harmful scripts.
LiteSpeed was informed of the flaw on August 14th and subsequently rolled out a fix in October.
Cross-Site Scripting (XSS) Vulnerability
Wordfence identified a Cross-Site Scripting (XSS) vulnerability in the LiteSpeed plugin, regarded as the most popular caching plugin for WordPress. XSS vulnerabilities typically exploit inadequate security processes such as data sanitization and escaping.
Sanitization is a technique used to filter what types of files can be uploaded through legitimate inputs, such as contact forms.
In the case of the LiteSpeed vulnerability, a flaw in the shortcode functionality allowed malicious hackers to upload scripts they wouldn’t normally be able to upload if proper security protocols had been in place.
The WordPress developer page explains the sanitization security practice:
“Untrusted data comes from many sources (users, third party sites, even your own database!) and all of it needs to be checked before it’s used.
…Sanitizing input is the process of securing/cleaning/filtering input data.”
Another WordPress developer page describes the escaping data process:
“Escaping output is the process of securing output data by stripping out unwanted data, like malformed HTML or script tags.
This process helps secure your data prior to rendering it for the end user.”
This particular vulnerability requires the hacker to have contributor-level permissions to conduct the attack, making it more complex compared to unauthenticated threats that do not require any permission levels.
According to Wordfence:
“This makes it possible for threat actors to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page.
While this vulnerability does require that a trusted contributor account is compromised, or a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.”
Which Versions of LiteSpeed Plugin Are Vulnerable?
Versions 5.6 or older of the LiteSpeed Cache plugin are susceptible to the XSS attack.
Users are strongly advised to update their LiteSpeed Cache plugin to the latest version, 5.7, released on October 10, 2023.
For detailed information, refer to the Wordfence bulletin on the LiteSpeed XSS vulnerability.
Featured Image by Asier Romero/Shutterstock
