A new high-severity vulnerability has been discovered in the popular LiteSpeed Cache plugin for WordPress. The vulnerability could allow an attacker to execute arbitrary JavaScript code. The vulnerability is tracked as CVE-2024-47374 and has a CVSS score of 7.2. it has been patched in version 6.5.1 released on September 25, 2024.
TaiYou reported the vulnerability to the Patchstack bug bounty program. After the vulnerability was fixed, Patchstack published details of the vulnerability.
The LiteSpeed Cache plugin is a popular WordPress Caching plugin that offers server-level caching and optimization features. It has over 6 million installations. Now you can assume the impact of the vulnerability.
Researcher found an unauthenticated stored XSS vulnerability that could allow an unauthorized user to exploit the site by sending a single HTTP request. The issue was due to improper handling of the $vary variable in CSS and UCSS generation functions. This could lead to privilege escalation and data theft.
The vulnerability affects sites where specific optimization settings are enabled. An attacker can exploit the vulnerability to hijack an authenticated user’s session. If the hijacked account has Administrator privileges, the attacker to completely take control of the website.
With the latest version, the LiteSpeed Cache team has addressed the issue and applied proper sanitization to the affected variables. If you use the LiteSpeed Cache plugin, it is advised to update the plugin immediately to mitigate the risk of attacks.
If you use WordPress, you can read this detailed WordPress security guide to learn how to protect your website. For additional security and peace of mind, you can hire us. We provide WordPress development and security services at an affordable cost.
