WordPress LiteSpeed Cache plugin flaw could allow site takeover

A high-severity flaw in the WordPress LiteSpeed Cache plugin could allow attackers to execute arbitrary JavaScript code under certain conditions.

A high-severity security flaw, tracked as CVE-2024-47374 (CVSS score 7.2), in the LiteSpeed Cache plugin for WordPress could allow attackers to execute arbitrary JavaScript.

The vulnerability is a stored cross-site scripting (XSS) issue impacting versions up to 6.5.0.2.

This LiteSpeed Cache plugin is an all-in-one site acceleration tool, offering server-level caching and optimization features. It supports WordPress Multisite and is compatible with popular plugins like WooCommerce, bbPress, and Yoast SEO. LiteSpeed Cache has over six million active installations, for this reason, site admins must address the issue as soon as possible.

The vulnerability was originally reported by TaiYou to the Patchstack bug bounty program for WordPress. 

“This plugin suffers from unauthenticated stored XSS vulnerability. It could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request.” reads the advisory.

The flaw arises from improper sanitization of the “X-LSCACHE-VARY-VALUE” HTTP header, allowing arbitrary script injection. The issue could be exploited only if the “CSS Combine” and “Generate UCSS” settings are enabled.

An attacker could potentially exploit this vulnerability to hijack the account of a site administrator and take full control of the website.

The vulnerability was addressed in version 6.5.1 on September 25, 2024.

The most damaging scenario is when the hijacked user account is that of a site administrator, thereby allowing a threat actor to completely take control of the website and stage even more powerful attacks.

“We recommend applying escaping and sanitization to any message that will be displayed as an admin notice. Depending on the context of the data, we recommend using sanitize_text_field to sanitize value for HTML output (outside of HTML attribute) or esc_html. For escaping values inside of attributes, you can use the esc_attr function.” concludes the report. “We also recommend applying a proper permission or authorization check to the registered rest route endpoints.”

In early September, the developer behind the LiteSpeed Cache plugin addressed another unauthenticated account takeover vulnerability, tracked as CVE-2024-44000 (CVSS score: 7.5), that can allow any visitor to gain access to logged-in users and potentially escalate privileges to the Administrator level. An attacker can exploit this vulnerability to upload malicious plugins.

Patchstack researchers explained that the flaw stems from an HTTP response header leak that exposed “Set-Cookie” headers in a debug log file (/wp-content/debug.log) after login attempts.

An unauthenticated attacker can view sensitive information, including user cookie data from HTTP response headers. This could enable attackers to log in using any valid session. The flaw can be exploited only if the WordPress site’s debug feature is enabled and this feature is disabled by default.

“The vulnerability exploits an HTTP response headers leak on the debug log file which also leaks the “Set-Cookie” header after the users perform a login request.” reads the report published by Patchstack. “The main vulnerable code exists on the function ended

The vulnerability CVE-2024-44000 impacts versions before and including 6.4.1. The issue has been addressed in version 6.5.0.1.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, WordPress)