LiteSpeed Plugin Flaw: WordPress Users Exposed To XSS Attack
As per recent reports, a new LiteSpeed plugin flaw has been discovered and WordPress users are now at risk of cross-site scripting (XSS) attacks. The flaw if exploited allows threat actors to execute arbitrary JavaScript code to carry out their malicious intentions. In this article, we’ll cover what this flaw is, its severity and the affected versions. Let’s begin!
LiteSpeed Plugin Flaw Uncovered
The XSS attack-triggering LiteSpeed plugin flaw is currently being tracked as CVE-2024-47374. It has a critical vulnerability severity score (CVSS) of 7.2 and impacts all versions of the including and up to 6.5.0.2. The flaw was disclosed by Patchstack Alliance researcher TaiYou. Providing valuable insight, the Patchstack stated that:
“It could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request.”
The flaw stems from the fact that the HTTP header value is phrased without any output escaping and sanitization, allowing threat actors to inject malicious web scripts. Despite this, the “CSS Combine” and “Generate UCSS” Page Optimization settings are needed for the exploit to be successful.
CVE-2024-47374 Attack Details
As far as the attack details are concerned, it’s worth noting that vulnerabilities such as CVE-2024-47374, which plays a key role in the LiteSpeed plugin flaw attacks, allow arbitrary scripts to be injected and stored permanently. These malicious scripts can be stored in various locations that include:
- Database.
- Visitor log.
- Comments.
- Message forum.
- Website servers.
These storage locations are essential to threat actors, given that they ensure the execution of the malicious code every time a user lands on a compromised page. Such attacks can lead to severe consequences given can be used to deliver browser-based payloads for multiple initiatives that include:
- Stealing information.
- Hijacking an authenticated user’s session.
- Performing actions on behalf of the user.
The severity of such attack methods being implemented increases dramatically when the compromised user account belongs to a site administrator. In such a scenario, threat actors can acquire complete control of a website.
Protection Against WordPress Plugin Vulnerabilities
Online threat actors are now using increasingly complex methods when targeting victims. Exploiting vulnerabilities such as the LiteSpeed plugin flaw has become a common tactic used to compromise legitimate websites.
The LiteSpeed plugin for WordPress currently has over 6 million active installations, meaning that exploiting it is a lucrative option for threat actors. Given this, it’s essential to know how one can ensure protection against WordPress vulnerabilities.
To ensure protection against the flaw, users must update to the latest version, released on September 25th, 2024. This patch for the flaw was released one month after developers fixed another vulnerability.
It’s worth noting that the previous vulnerability was tracked as CVE-2024-44000 and had a CVSS score of 7.5. This vulnerability, if exploited, could have allowed threat actors to take control over arbitrary accounts.
Conclusion
The LiteSpeed plugin flaw poses a significant risk to WordPress users, with the potential for XSS attacks and privilege escalation. To protect against these vulnerabilities, it’s crucial for users to update to the latest version of the plugin. In addition, users must also implement proactive cybersecurity protocols to stay secure amid the evolving online environment.
The sources for this piece include articles in The Hacker News and Bleeping Computer.
The post LiteSpeed Plugin Flaw: WordPress Users Exposed To XSS Attack appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/litespeed-plugin-flaw-wordpress-users-exposed-to-xss-attack/
