A new vulnerability in the LiteSpeed Cache plugin for WordPress has been identified that could allow unauthenticated attackers to inject malicious code into websites.
The flaw, discovered by TaiYou from Patchstack’s bug bounty program, impacts the plugin’s CSS queue generation process and affects over six million active installations.
The vulnerability, tracked as CVE-2024-47374, is an unauthenticated stored XSS issue that could lead to privilege escalation or data theft. It exploits the plugin’s “Vary Group” functionality, which controls cache variations based on user roles.
Attackers can manipulate this functionality via specially crafted HTTP headers, injecting harmful content directly into the WordPress admin panel.
“This vulnerability occurs because the code that handles the view of the queue doesn’t implement sanitization and output escaping,” Patchstack explained.
For the exploit to be effective, two settings must be enabled in the LiteSpeed Cache plugin:
-
CSS Combine
-
Generate UCSS
The first one combines multiple CSS files into a single file, reducing server load and improving performance. However, when active, it allows the vulnerable code to be triggered, opening the door for an attacker to exploit the flaw.
The second, on the other hand, generates unique CSS files for each page, tailored to the content being displayed. While this feature enhances optimization, it also makes the vulnerability exploitable, as it exposes the queue for CSS generation to potentially malicious inputs.
LiteSpeed has addressed the vulnerability in version 6.5.1, which implements proper input sanitization using the esc_html function to prevent malicious code injection.
Users of the LiteSpeed Cache plugin are strongly advised to update to the latest version to safeguard their sites from potential attacks.
“We recommend applying escaping and sanitization to any message that will be displayed as an admin notice,” Patchstack added. “We also recommend applying a proper permission or authorization check to the registered rest route endpoints.”