A brand new high-severity safety flaw has been disclosed within the LiteSpeed Cache plugin for WordPress that would allow malicious actors to execute arbitrary JavaScript code below sure circumstances.
The flaw, tracked as CVE-2024-47374 (CVSS rating: 7.2), has been described as a saved cross-site scripting (XSS) vulnerability impacting all variations of the plugin as much as and together with 6.5.0.2.
It was addressed in model 6.5.1 on September 25, 2024, following accountable disclosure by Patchstack Alliance researcher TaiYou.
“It might permit any unauthenticated consumer from stealing delicate info to, on this case, privilege escalation on the WordPress web site by performing a single HTTP request,” Patchstack stated in a report.
The flaw stems from the style through which the plugin the “X-LSCACHE-VARY-VALUE” HTTP header worth is parsed with out enough sanitization and output escaping, thereby permitting for injection of arbitrary net scripts.
That stated, it is price declaring that the Web page Optimization settings “CSS Mix” and “Generate UCSS” are required to allow the exploit to achieve success.
Additionally referred to as persistent XSS assaults, such vulnerabilities make it attainable to retailer an injected script completely on the goal web site’s servers, resembling in a database, in a message discussion board, in a customer log, or in a remark.
This causes the malicious code embedded throughout the script to be executed each time an unsuspecting web site customer lands on the requested useful resource, as an illustration, the net web page containing the specifically crafted remark.
Saved XSS assaults can have critical penalties as they may very well be weaponized to ship browser-based exploits, steal delicate info, and even hijack an authenticated consumer’s session and carry out actions on their behalf.
Essentially the most damaging situation is when the hijacked consumer account is that of a web site administrator, thereby permitting a menace actor to utterly take management of the web site and stage much more highly effective assaults.
WordPress plug-ins and themes are a well-liked avenue for cybercriminals seeking to compromise professional web sites. With LiteSpeed Cache boasting over six million energetic installations, flaws within the plugin pose a profitable assault floor for opportunistic assaults.
The newest patch arrives practically a month after the plugin builders addressed one other flaw (CVE-2024-44000, CVSS rating: 7.5) that would permit unauthenticated customers to take management of arbitrary accounts.
It additionally follows the disclosure of an unpatched vital SQL injection flaw within the TI WooCommerce Wishlist plugin (CVE-2024-43917, CVSS rating: 9.8) that, if efficiently exploited, permits any consumer to execute arbitrary SQL queries within the database of the WordPress web site.
One other vital safety vulnerability considerations the Jupiter X Core WordPress plugin (CVE-2024-7772, CVSS rating: 9.8) that permits unauthenticated attackers to add arbitrary recordsdata on the affected web site’s server, probably resulting in distant code execution.
It has been fastened in model 4.7.8, together with a high-severity authentication bypass flaw (CVE-2024-7781, CVSS rating: 8.1) that “makes it attainable for unauthenticated attackers to log in as the primary consumer to have logged in with a social media account, together with administrator accounts,” Wordfence stated.
