A new high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable malicious actors to execute arbitrary JavaScript code under certain conditions.
The flaw, tracked as CVE-2024-47374 (CVSS score: 7.2), has been described as a stored cross-site scripting (XSS) vulnerability impacting all versions of the plugin up to and including 6.5.0.2.
It was addressed in version 6.5.1 on September 25, 2024, following responsible disclosure by Patchstack Alliance researcher TaiYou.
"It could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request," Patchstack said in a report.
The flaw stems from the manner in which the plugin the "X-LSCACHE-VARY-VALUE" HTTP header value is parsed without adequate sanitization and output escaping, thereby allowing for injection of arbitrary web scripts.
That said, it's worth pointing out that the Page Optimization settings "CSS Combine" and "Generate UCSS" are required to enable the exploit to be successful.
Also called persistent XSS attacks, such vulnerabilities make it possible to store an injected script permanently on the target website's servers, such as in a database, in a message forum, in a visitor log, or in a comment.
This causes the malicious code embedded within the script to be executed every time an unsuspecting site visitor lands on the requested resource, for instance, the web page containing the specially crafted comment.
Stored XSS attacks can have serious consequences as they could be weaponized to deliver browser-based exploits, steal sensitive information, or even hijack an authenticated user's session and perform actions on their behalf.
The most damaging scenario is when the hijacked user account is that of a site administrator, thereby allowing a threat actor to completely take control of the website and stage even more powerful attacks.
WordPress plug-ins and themes are a popular avenue for cybercriminals looking to compromise legitimate websites. With LiteSpeed Cache boasting over six million active installations, flaws in the plugin pose a lucrative attack surface for opportunistic attacks.
The latest patch arrives nearly a month after the plugin developers addressed another flaw (CVE-2024-44000, CVSS score: 7.5) that could allow unauthenticated users to take control of arbitrary accounts.
It also follows the disclosure of an unpatched critical SQL injection flaw in the TI WooCommerce Wishlist plugin (CVE-2024-43917, CVSS score: 9.3) that, if successfully exploited, permits any user to execute arbitrary SQL queries in the database of the WordPress site.
Wordfence, which has assigned CVE-2024-43917 a higher CVSS score of 9.8, said the problem is due to "insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query." This, it added, enables unauthenticated attackers to append additional SQL queries into already existing queries and extract sensitive information from the database.
Another critical security vulnerability concerns the Jupiter X Core WordPress plugin (CVE-2024-7772, CVSS score: 9.8) that allows unauthenticated attackers to upload arbitrary files on the affected site's server, potentially leading to remote code execution.
It has been fixed in version 4.7.8, along with a high-severity authentication bypass flaw (CVE-2024-7781, CVSS score: 8.1) that "makes it possible for unauthenticated attackers to log in as the first user to have logged in with a social media account, including administrator accounts," Wordfence said.
(The story was updated after publication to include more information about CVE-2024-43917 and highlight the differences in the CVSS score.)