October 8, 2024 at 08:36AM
A popular WordPress plug-in, LiteSpeed Cache, containing a cross-site scripting flaw (CVE-2024-47374), has been exploited by attackers, potentially enabling privilege escalation and malicious code installation on affected websites. A simple patch has been issued by Patchstack, allowing administrators to update to the fixed version 6.5.1 immediately to prevent vulnerabilities.
After reviewing the meeting notes, it is clear that there is a serious security vulnerability in the LiteSpeed Cache WordPress plug-in. The vulnerability, tracked as CVE-2024-47374, is an unauthenticated stored XSS vulnerability that can allow attackers to escalate privileges and potentially install malicious code onto affected websites. It is also worth noting that the plug-in has other vulnerabilities, but CVE-2024-47374 is the most dangerous and expected to be exploited by attackers.
The developers of the LiteSpeed Cache plug-in have provided a patch to fix all three vulnerabilities in version 6.5.1, and it is crucial that all users of the plug-in update immediately to avoid being vulnerable to attack.
In the meantime, Patchstack has issued a virtual patch to mitigate the flaw by blocking any attacks until customers have updated to the fixed version. Additionally, administrators of WordPress sites that use LiteSpeed Cache are advised to follow Patchstack’s recommendations for escaping and sanitization to mitigate the vulnerability.
It is important for all users of the LiteSpeed Cache plug-in to take immediate action to update to the fixed version 6.5.1 and to follow the recommendations provided by Patchstack to ensure the security of their websites.