XSS Vulnerability Discovered in WordPress LiteSpeed Cache Plugin (CVE-2024-47374)

Bar Refael

October 7, 2024

A high-severity security flaw (CVE-2024-47374) has been discovered in the LiteSpeed Cache plugin for WordPress, impacting versions up to and including 6.5.0.2. This vulnerability, categorized as stored cross-site scripting (XSS), allows unauthenticated attackers to execute arbitrary JavaScript code, potentially leading to privilege escalation and theft of sensitive information.

The flaw arises from improper sanitization of the X-LSCACHE-VARY-VALUE HTTP header, which can be exploited when certain Page Optimization settings are enabled. The issue was patched in version 6.5.1, released on September 25, 2024. This vulnerability underscores the importance of updating the plugin immediately, as it impacts over six million active installations worldwide.

Vulnerability Details:

  • CVE ID: CVE-2024-47374
  • Plugin Affected: LiteSpeed Cache (WordPress)
  • Versions Affected: Up to and including version 6.5.0.2
  • Patched Version: 6.5.1
  • Date of Patch Release: September 25, 2024
  • CVSS Score: 7.2 (High Severity)
  • Type of Vulnerability: Stored Cross-Site Scripting (XSS)

Stored XSS, also known as persistent XSS, occurs when a malicious script is injected and stored on the web server, such as in a database or comment section. The script is then executed every time an unsuspecting user visits the affected page.

Exploitation Conditions:

The vulnerability requires the “CSS Combine” and “Generate UCSS” settings in the plugin’s Page Optimization feature to be enabled. Under these conditions, attackers can manipulate the X-LSCACHE-VARY-VALUE HTTP header without proper sanitization or output escaping, allowing them to inject arbitrary web scripts.

Exploitation Impact:

  1. Privilege Escalation: The attack can enable privilege escalation by executing malicious JavaScript that hijacks user sessions. If the compromised session belongs to an administrator, the attacker could gain full control of the site.
  2. Data Theft: Sensitive information, such as session tokens, cookies, and credentials, could be stolen from unsuspecting users.
  3. Site Defacement or Malware Delivery: Attackers can use the flaw to inject malicious content, alter site behavior, or deliver browser-based exploits.

Mitigation and Remediation:

  1. Update to Version 6.5.1: Website administrators must immediately update the LiteSpeed Cache plugin to version 6.5.1 or higher, which contains the fix for the vulnerability.
  2. Disable Exploitable Settings: If the plugin update is not immediately feasible, disabling the “CSS Combine” and “Generate UCSS” settings in the Page Optimization options may reduce the attack surface.
  3. Implement a Web Application Firewall (WAF): Consider using a WAF that can filter and block suspicious HTTP requests targeting XSS vulnerabilities.
  4. Review User Privileges: Conduct an audit of all user accounts, especially those with administrative privileges, to ensure that no unauthorized changes have been made following any potential exploitation.

Technical Analysis:

The vulnerability originates from improper handling of the X-LSCACHE-VARY-VALUE HTTP header within the LiteSpeed Cache plugin. Due to insufficient sanitization and output escaping, attackers can inject arbitrary JavaScript, which is stored on the server and executed whenever users interact with affected pages.

Example Exploit Scenario:

  1. An attacker sends a specially crafted HTTP request with malicious JavaScript in the X-LSCACHE-VARY-VALUE header.
  2. The vulnerable LiteSpeed Cache plugin stores this unfiltered value.
  3. Whenever a site visitor, including administrators, accesses a page related to the injected value, the script is executed.
  4. The script can steal session cookies or execute administrative functions on behalf of the victim.

Related Vulnerabilities:

This disclosure follows the recent identification of two additional vulnerabilities in WordPress plugins:

  1. CVE-2024-44000 (CVSS 7.5): Flaw in LiteSpeed Cache allowing unauthenticated users to control arbitrary accounts.
  2. CVE-2024-43917 (CVSS 9.8): Critical SQL injection vulnerability in the TI WooCommerce Wishlist plugin, enabling unauthenticated users to execute arbitrary SQL queries.
  3. CVE-2024-7772 (CVSS 9.8): Vulnerability in the Jupiter X Core plugin allowing unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution.

These incidents emphasize the need for vigilance in maintaining WordPress plugins up to date to prevent security breaches.

Conclusion:

CVE-2024-47374 represents a significant risk for websites using the LiteSpeed Cache plugin due to its widespread adoption. Failure to patch this vulnerability can result in serious consequences, including unauthorized control of the website, sensitive data theft, and other malicious activities. Website administrators must promptly apply the available patch and implement additional security measures to mitigate the risk of exploitation.

Stay Secure. Stay Informed.

OP Innovate Research Team.