A WordPress plug-in put in greater than 6 million occasions is susceptible to a cross-site scripting flaw (XSS) that permits attackers to escalate privileges and doubtlessly set up malicious code to allow redirects, adverts, and different HTML payloads onto an affected web site.
A safety researcher who goes by the net title “TaiYou” found the flaw, tracked as CVE-2024-47374, in LiteSpeed Cache, referred to as the preferred caching plug-in for the WordPress content material administration system (CMS). TaiYou reported the flaw on Sept. 24 to Patchstack through the Patchstack Bug Bounty Program for WordPress; it impacts LiteSpeed Cache by model 6.5.0.2, and customers ought to replace instantly to keep away from being susceptible to assault.
LiteSpeed Cache is described by its builders as an “all-in-one web site acceleration plugin, that includes an unique server-level cache and a group of optimization options.” It helps WordPress Multisite and is appropriate with the preferred plug-ins, together with WooCommerce, bbPress, and Yoast web optimization.
The flaw that requires instant consideration is an unauthenticated saved XSS vulnerability that “may permit any unauthenticated consumer from stealing delicate data to, on this case, privilege escalation on the WordPress web site by performing a single HTTP request,” in keeping with Patchstack.
XSS is without doubt one of the most oft-exploited and oldest Internet vulnerabilities, permitting an attacker to inject malicious code right into a professional webpage or software to execute malicious scripts that have an effect on the individual visiting the positioning.
Three WordPress Plug-in Flaws, One Harmful
TaiYou really discovered three flaws within the plug-in, together with one other XSS flaw in addition to a path-traversal vulnerability. Nonetheless, solely CVE-2024-47374 is taken into account harmful and anticipated to be exploited by attackers, in keeping with Patchstack.
Upon notification by Patchstack, the builders of LiteSpeed cache plug-in despatched again a patch for validation on the identical day. Patchstack printed an replace that fixes all three flaws in LiteSpeed cache model 6.5.1 on Sept. 25, and added the issues to its vulnerability database 5 days later.
CVE-2024-47374 is characterised as creating “Improper Neutralization of Enter Throughout Internet Web page Era,” in keeping with its itemizing on CVEdetails.com. “The product doesn’t neutralize or incorrectly neutralizes user-controllable enter earlier than it’s positioned in output that’s used as an online web page that’s served to different customers,” in keeping with the itemizing.
The vulnerability happens as a result of the code that handles the view of a queue in a specific piece of the plug-in doesn’t implement sanitization and output escaping, in keeping with Patchstack.
“The plugin outputs an inventory of URLs which are queued for distinctive CSS technology and with the URL one other performance known as ‘Differ Group’ is printed on the Admin web page,” in keeping with the weblog submit.
On this output, the “Differ Group” performance combines the ideas of “cache varies” and “consumer roles.” “The vulnerability happens as a result of Differ Group might be equipped by a consumer through an HTTP Header and printed on the admin web page with out sanitization,” in keeping with Patchstack.
Replace & Mitigate CVE-2024-47374
Attributable to its widespread use as a basis for web sites, the WordPress platform and its plug-ins particularly are a notoriously well-liked goal for menace actors, giving them quick access to a broad assault floor. Attackers notably like to focus on singular plug-ins with giant set up bases, which makes susceptible variations of LiteSpeed Cache a possible goal.
The patch for CVE-2024-47374 is “pretty easy,” sanitizing the output utilizing esc_html, in keeping with Patchstack. The corporate issued a digital patch to mitigate the flaw by blocking any assaults till its prospects have up to date to a set model. In the meantime, all directors of WordPress websites that use LiteSpeed Cache are suggested to replace to mounted model 6.5.1 instantly.
Patchstack additionally recommends that WordPress web site builders working with the plug-in apply escaping and sanitization to any message that will probably be displayed as an admin discover to mitigate the vulnerability.
“Relying on the context of the information, we suggest utilizing sanitize_text_field to sanitize worth for HTML output (exterior of HTML attribute) or esc_html,” in keeping with the submit. “For escaping values within attributes, you should use the esc_attr operate.”
Patchstack additionally recommends that web site builders working with LiteSpeed Cache additionally apply a correct permission or authorization verify to the registered relaxation route endpoints to keep away from exposing a web site to XSS vulnerability.