October 4, 2024 at 06:00AM
A high-severity security flaw in the LiteSpeed Cache plugin for WordPress (CVE-2024-47374) allows for arbitrary JavaScript code execution. The flaw was patched in version 6.5.1 on September 25, 2024, after being responsibly disclosed. This vulnerability could enable privilege escalation and affects all versions up to 6.5.0.2, potentially impacting the over six million active installations.
From the meeting notes, it is clear that a high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress. This flaw, known as CVE-2024-47374 with a CVSS score of 7.2, is a stored cross-site scripting (XSS) vulnerability affecting all versions of the plugin up to and including 6.5.0.2. The flaw was addressed in version 6.5.1 on September 25, 2024, following responsible disclosure by Patchstack Alliance researcher TaiYou.
The flaw allows for the injection of arbitrary web scripts due to inadequate sanitization and output escaping in the processing of the “X-LSCACHE-VARY-VALUE” HTTP header value. It is worth noting that the exploit requires the Page Optimization settings “CSS Combine” and “Generate UCSS” to be enabled.
Stored XSS attacks, such as this vulnerability, can have serious consequences, including browser-based exploits, sensitive information theft, and hijacking of authenticated user sessions. This poses a significant risk to the over six million active installations of the LiteSpeed Cache plugin for WordPress.
Additionally, it is mentioned that the latest patch for the LiteSpeed Cache plugin was released nearly a month after the developers addressed another flaw (CVE-2024-44000, CVSS score: 7.5) and follows the disclosure of unpatched critical security vulnerabilities in other WordPress plugins, such as the TI WooCommerce Wishlist and Jupiter X Core plugins.
In summary, the meeting notes provide a comprehensive overview of the security vulnerabilities affecting various WordPress plugins, highlighting the critical need for timely patching and security measures to protect against potential exploits.