The popular LiteSpeed WordPress plugin patched a vulnerability that compromised over 4 million websites, allowing hackers to upload malicious scripts.
LiteSpeed was notified of the vulnerability two months ago on August 14th and released a patch in October.
Cross-Site Scripting (XSS) Vulnerability
Wordfence discovered a Cross-Site Scripting (XSS) vulnerability in the LiteSpeed plugin, the most popular WordPress caching plugin in the world.
XSS vulnerabilities are generally a type that takes advantage of a lack of a security process called data sanitization and escaping.
Sanitization is a technique that filters what kind of files can be uploaded via a legitimate input, like on a contact form.
In the specific LiteSpeed vulnerability, the implementation of a shortcode functionality allowed a malicious hacker to upload scripts they otherwise would not be able to had the proper security protocols of sanitization/escaping data been in place.
The WordPress developer page describes the sanitization security practice:
“Untrusted data comes from many sources (users, third party sites, even your own database!) and all of it needs to be checked before it’s used.
…Sanitizing input is the process of securing/cleaning/filtering input data.”
Another WordPress developer page describes the recommended process of escaping data like this:
“Escaping output is the process of securing output data by stripping out unwanted data, like malformed HTML or script tags.
This process helps secure your data prior to rendering it for the end user.”
This specific vulnerability requires that the hacker first obtain contributor level permissions in order to carry out the attack, which makes carrying out the attack more complicated than other kinds of threats that are unauthenticated (require no permission level).
According to Wordfence:
“This makes it possible for threat actors to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page.
While this vulnerability does require that a trusted contributor account is compromised, or a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.”
Which Versions of LiteSpeed Plugin Are Vulnerable?
Versions 5.6 or less of the LiteSpeed Cache plugin are vulnerable to the XSS attack.
Users of the LiteSpeed Cache are encouraged to update their plugin as soon as possible to the latest version, 5.7 which was released on October 10, 2023.
Source and more details: https://www.wordfence.com/blog/2023/10/4-million-wordpress-sites-affected-by-stored-cross-site-scripting-vulnerability-in-lightspeed-cache-plugin/
See also: https://www.searchenginejournal.com/wordpress-litespeed-plugin-vulnerability-affects-4-million-websites/499074/#close