A significant security vulnerability has been identified in the LiteSpeed Cache plugin for WordPress, posing a high risk of exploitation that could allow malicious individuals to execute arbitrary JavaScript code under specific conditions. The vulnerability is designated as CVE-2024-47374 with a CVSS score of 7.2, indicating its severity. It affects all versions of the plugin up to and including 6.5.0.2.
This issue was resolved in version 6.5.1, released on September 25, 2024, following a responsible disclosure by researcher TaiYou from the Patchstack Alliance. According to Patchstack, the vulnerability enables unauthorized users to potentially extract sensitive information and perform privilege escalation on WordPress sites with just one HTTP request.
The root of the problem lies in how the plugin handles the “X-LSCACHE-VARY-VALUE” HTTP header without sufficient sanitization and output escaping, which opens a pathway for arbitrary web script injection. Notably, the settings “CSS Combine” and “Generate UCSS” must be activated for the exploit to successfully function.
Such vulnerabilities are commonly known as persistent cross-site scripting (XSS) attacks. They allow attackers to permanently store injected scripts within the target site’s database or other persistent data stores, such as comment sections or logs. Consequently, whenever a user visits the resource containing the malicious script, the injected code executes, potentially leading to theft of sensitive information or the hijacking of user sessions.
If an administrator’s account is compromised, attackers could gain full control over the website, which poses significant risks not just to the site itself but also to its users and associated data. This vulnerability highlights the attractiveness of WordPress plugins and themes as targets for cybercriminals, especially considering LiteSpeed Cache has over six million active installations.
This latest patch comes shortly after another security issue was addressed in the same plugin, CVE-2024-44000, also associated with unauthenticated user access, and marks a growing trend where vulnerabilities are becoming increasingly severe. In tandem with this, a separate, unaddressed SQL injection vulnerability discovered in the TI WooCommerce Wishlist plugin (CVE-2024-43917, CVSS score: 9.3) may allow attackers to execute arbitrary SQL queries on the site’s database.
CVE-2024-43917 has been rated even more critical by Wordfence, which attributes the issue to inadequate escaping of user-supplied parameters, resulting in a heightened risk for unsanctioned data extraction. Additionally, another critical vulnerability affecting the Jupiter X Core WordPress plugin (CVE-2024-7772, CVSS score: 9.8) has been uncovered, allowing unauthorized file uploads, which may lead to remote code execution.
These findings serve as stark reminders for WordPress site owners to maintain vigilant security practices. Regularly updating plugins and themes, coupled with understanding emerging threats, may mitigate the risk of such vulnerabilities being exploited.
Note: This report has been updated to include additional information regarding CVE-2024-43917 and associated CVSS score variations.
