CVE-2024-47374 is a high-severity vulnerability in the LiteSpeed Cache plugin, which optimizes over 6 million WordPress sites for faster load times and improved performance. This vulnerability, classified as an unauthenticated stored cross-site scripting (XSS) flaw, could allow attackers to inject malicious scripts that execute whenever an administrator views the compromised site. This can lead to credential theft, sensitive data exposure, or even privilege escalation, potentially resulting in complete site takeover.
Vulnerability ID: CVE-2024-47374
Severity: High (CVSS 7.1)
Affected Software: LiteSpeed Cache Plugin for WordPress
Patched Version: 6.5.1
Date of Discovery: October 2, 2024
Reported by: Tai You, Patchstack Alliance
Technical Details
This stored XSS vulnerability is exploitable without authentication, leveraging insufficient input sanitization and output escaping in certain LiteSpeed Cache functions. Specifically, user input from HTTP headers can be maliciously crafted to inject scripts into LiteSpeed’s Critical CSS (CCSS) and Unique CSS (UCSS) queues, bypassing sanitization in the “Vary Group” functionality.
Attack Requirements:
- Vector: Network
- Privileges Required: None (unauthenticated exploit)
- Complexity: Low
For this vulnerability to be exploitable, two settings must be enabled in the LiteSpeed Cache plugin’s configuration under Page Optimization:
- CSS Combine: Combines CSS files to reduce HTTP requests.
- Generate UCSS: Creates unique CSS for each page to remove unused styles.
With these settings active, an attacker can send a malicious HTTP header, allowing injected scripts to be stored on the server. The stored code will execute when an administrator accesses any page containing the generated CSS, leading to a potential escalation of privileges.
Impact Analysis
If CVE-2024-47374 is successfully exploited, attackers can achieve the following:
- Cross-Site Scripting (XSS): Inject and store malicious scripts on the site, potentially harvesting sensitive information from admin sessions.
- Privilege Escalation: Gain unauthorized access to administrative controls.
- Data Theft: Steal or manipulate sensitive data, including user credentials and site settings.
Given the plugin’s popularity, the vulnerability poses a significant risk across a large number of sites.
Mitigation Recommendations
Immediate Actions:
- Update LiteSpeed Cache: Users should upgrade to version 6.5.1 or later, which patches this vulnerability.
- Verify Plugin Settings: Disable the CSS Combine and Generate UCSS settings in LiteSpeed Cache until the plugin is updated.
Enhanced Security Recommendations:
- Strict Content Security Policies (CSP): Use CSP headers to limit where scripts can be loaded from, mitigating XSS attack risks.
- Access Monitoring: Enable monitoring for unusual activity, especially for admin logins and modifications to settings.
Long-term Hardening:
- Web Application Firewall (WAF): Deploy a WAF to detect and block malicious HTTP headers.
- Regular Security Audits: Perform periodic audits on all active plugins, especially those with high user counts and broad functionalities.
Proof of Concept (PoC)
A PoC for this vulnerability demonstrates how a malicious HTTP header, crafted to target the Vary Group functionality, injects code that persists in the cache CSS files. Once stored, the script executes when an admin views affected pages. Full technical details are withheld to prevent active exploitation.
Action Required: All LiteSpeed Cache users must update to version 6.5.1 or later to mitigate this high-risk XSS vulnerability and protect against potential exploitation.
