WordPress Lite Speed Cache Plugin Security Flaw Exposes Sites to XSS

A recently disclosed high-severity security flaw (CVE-2024-47374) has been identified in the LiteSpeed Cache plugin for WordPress, affecting all versions up to and including 6.5.0.2. The vulnerability, which carries a CVSS score of 7.2, is classified as a stored cross-site scripting (XSS) issue. This flaw allows attackers to inject arbitrary JavaScript code that could potentially lead to the theft of sensitive information or privilege escalation on affected WordPress sites.

The vulnerability can be exploited via a single HTTP request, even by an unauthenticated user, making it particularly dangerous. It was responsibly disclosed by TaiYou, a researcher from Patchstack Alliance, and fixed in version 6.5.1, released on September 25, 2024. WordPress site owners using the LiteSpeed Cache plugin should update to the latest version as soon as possible to mitigate the risk.

This type of flaw emphasizes the importance of regularly updating plugins and being aware of security advisories.

The security flaw in the LiteSpeed Cache plugin (CVE-2024-47374) stems from improper handling of the “X-LSCACHE-VARY-VALUE” HTTP header, which lacks adequate sanitization and output escaping. This flaw opens the door for the injection of malicious JavaScript code, a hallmark of stored (or persistent) cross-site scripting (XSS) attacks. The exploit is only successful if certain Page Optimization settings, specifically “CSS Combine” and “Generate UCSS,” are enabled.

Stored XSS vulnerabilities are particularly dangerous because they allow malicious scripts to be saved on the server, whether in a database or other web resources like comment sections or visitor logs. When unsuspecting users visit the compromised page, the malicious code executes, potentially resulting in a range of attacks, such as browser-based exploits, data theft, or even session hijacking.

Technical details

  1. CVE-2024-47374 (LiteSpeed Cache Plugin XSS):
  • Vulnerability Type: Stored (Persistent) Cross-Site Scripting (XSS)
  • CVSS Score: 7.2 (High)
  • Affected Versions: All versions up to and including 6.5.0.2
  • Fixed Version: 6.5.1
  • Root Cause: Improper sanitization and escaping of the “X-LSCACHE-VARY-VALUE” HTTP header value.
  • Attack Vector:
    • The vulnerability is triggered by the way the plugin parses the “X-LSCACHE-VARY-VALUE” The lack of proper input validation allows attackers to inject arbitrary JavaScript code into the header.
    • Malicious scripts can be stored permanently on the affected site and execute whenever an unsuspecting visitor loads the page containing the injected code.
  • Exploit Conditions:
    • The LiteSpeed Cache plugin’s Page Optimization settings must have both “CSS Combine” and “Generate UCSS” enabled for the attack to be successful.
  • Potential Impact:
    • Privilege escalation: Unauthenticated attackers could escalate privileges to higher-level users.
    • Session hijacking: If the attack targets an authenticated session (e.g., an administrator’s), the attacker could fully control the site.
    • Data theft: Sensitive data could be stolen from site users, particularly those with elevated privileges.
  1. CVE-2024-44000 (Previous LiteSpeed Cache Vulnerability):
  • Vulnerability Type: Authentication Bypass
  • CVSS Score: 7.5 (High)
  • Affected Versions: Unspecified older versions prior to the fix
  • Impact: Allowed unauthenticated users to gain control of arbitrary user accounts, including administrative ones.
  1. CVE-2024-43917 (TI WooCommerce Wishlist Plugin SQL Injection):
  • Vulnerability Type: SQL Injection
  • CVSS Score: 9.8 (Critical)
  • Attack Vector: Allows any unauthenticated user to execute arbitrary SQL queries against the WordPress database.
  • Impact:
    • Full database compromise, enabling attackers to exfiltrate, delete, or modify sensitive data.
    • Remote code execution (RCE) through SQL injections may be possible in some configurations, depending on database permissions and environment.
  1. CVE-2024-7772 (Jupiter X Core Plugin File Upload):
  • Vulnerability Type: Arbitrary File Upload / Remote Code Execution (RCE)
  • CVSS Score: 9.8 (Critical)
  • Affected Versions: Versions before 4.7.8
  • Impact:
    • Attackers can upload arbitrary files to the web server, potentially leading to the execution of malicious code.
    • If successful, this would allow full control of the compromised site.
  1. CVE-2024-7781 (Jupiter X Core Plugin Authentication Bypass):
  • Vulnerability Type: Authentication Bypass
  • CVSS Score: 8.1 (High)
  • Impact:
    • Unauthenticated attackers could log in as the first user who used a social media account to authenticate on the WordPress site. If that user is an administrator, this flaw could result in full site compromise.

Impact

  1. Stored XSS (CVE-2024-47374) in LiteSpeed Cache Plugin:
  • Site-Wide Compromise: Since this is a stored XSS vulnerability, once the malicious script is injected, it remains on the site, executing each time a user visits the affected page. If an administrator visits the page, their session can be hijacked, giving the attacker administrative control over the site.
  • Privilege Escalation: Attackers can leverage XSS to elevate their privileges from a low-level user to an administrator, gaining full control of the website.
  • Session Hijacking: Attackers can steal session cookies, particularly for users with elevated privileges, allowing them to impersonate those users and perform actions on their behalf.
  • Data Theft: Sensitive information, such as user credentials, personal data, or payment details, can be exfiltrated. Attackers could install additional malicious scripts to capture and send this data to an external server.
  • Infection of Visitors: Visitors to the compromised site may unknowingly download malicious scripts or malware, especially if the injected script is designed to serve as a vector for broader attacks, including browser-based exploits.
  • Search Engine Blacklisting: If a site is infected with malicious code, search engines like Google may flag the site as malicious, damaging its reputation and leading to a drop in traffic.
  1. Previous LiteSpeed Cache Vulnerability (CVE-2024-44000):
  • Account Takeover: This authentication bypass vulnerability allowed unauthenticated users to take control of arbitrary accounts, including administrator accounts. This could lead to full site compromise, similar to the effects of XSS.
  1. SQL Injection in TI WooCommerce Wishlist (CVE-2024-43917):
  • Full Database Compromise: SQL injection vulnerabilities allow attackers to directly interact with the site’s database, potentially leading to the following:
    • Data manipulation: Attackers could add, modify, or delete records, including users, orders, or payment details.
    • Credential Theft: Attackers can retrieve user credentials, including hashed passwords, which may be cracked offline.
    • Ransomware Deployment: In severe cases, attackers could encrypt critical data in the database and demand ransom payments to restore access.
    • Remote Code Execution (RCE): Under certain conditions, SQL injection can be used to execute arbitrary code on the server, leading to complete server takeover.
  1. Arbitrary File Upload (RCE) in Jupiter X Core Plugin (CVE-2024-7772):
  • Remote Code Execution: The arbitrary file upload flaw allows attackers to upload malicious files, such as web shells, to the server. This could lead to:
    • Complete Site Takeover: The attacker can execute commands directly on the web server, enabling them to modify or delete files, alter the website, or install additional malware.
    • Lateral Movement: From the web server, attackers may move laterally across the server environment, compromising other websites hosted on the same server.
    • Botnet Deployment: Compromised websites could be co-opted into botnets to conduct further attacks, such as distributed denial-of-service (DDoS) campaigns or crypto-mining.
  1. Authentication Bypass in Jupiter X Core Plugin (CVE-2024-7781):
  • Unauthorized Access: This flaw allows attackers to log in as the first user who authenticated with a social media account, which could be an administrator. Once logged in, attackers gain full control over the site.
  • Privilege Escalation: The ability to bypass authentication can result in attackers granting themselves additional privileges, allowing them to modify the site, add malicious content, or deactivate security measures.

Recommendations

  1. Immediate Plugin Updates:
  • Update LiteSpeed Cache: Ensure your LiteSpeed Cache plugin is updated to version 6.5.1 or higher, which addresses the stored XSS vulnerability (CVE-2024-47374). This is essential to prevent malicious actors from exploiting the flaw.
  • Update other vulnerable plugins:
    • TI WooCommerce Wishlist: Monitor for patches for CVE-2024-43917 and update as soon as a fix is released.
    • Jupiter X Core Plugin: Update to version 4.7.8 or higher to patch both the file upload vulnerability (CVE-2024-7772) and the authentication bypass (CVE-2024-7781).
  1. Disable Risky Features Temporarily:
  • Disable “CSS Combine” and “Generate UCSS” in the LiteSpeed Cache plugin if updating to the latest version isn’t immediately possible. These settings are required for the XSS exploit to be successful.
  1. Security Hardening Measures:
  • Use Web Application Firewalls (WAF): Implement a WAF to block malicious HTTP requests, including potential exploitation of XSS and SQL injection vulnerabilities.
  • Sanitize and escape all user inputs: If you have custom development on your WordPress site, ensure all user inputs, such as comments, forms, and headers, are properly sanitized and escaped to prevent injection attacks.
  • Enable Content Security Policy (CSP): Deploy a strict CSP to prevent the execution of injected JavaScript on your site, even if malicious scripts are inserted.
  1. Regularly Monitor and Audit Plugins:
  • Monitor vulnerability databases and security advisories: Regularly check trusted sources (e.g., Patchstack, Wordfence) for security advisories and plugin updates.
  • Audit and remove unused plugins: Unused or unnecessary plugins increase your attack surface. Regularly review and deactivate or remove plugins that are not essential.
  1. Implement Strong Authentication Controls:
  • Use Two-Factor Authentication (2FA) for all administrator accounts. This provides an extra layer of security against account takeover attempts.
  • Limit login attempts to prevent brute-force attacks, particularly if vulnerabilities like authentication bypasses have existed.
  1. Regular Backups and Incident Response:
  • Create regular backups of your WordPress site and database. In case of an attack or compromise, you should be able to restore the site to a clean version.
  • Develop an incident response plan for security breaches. Ensure you have a clear protocol for identifying, responding to, and recovering from security incidents.
  1. Use Security Plugins:
  • Install WordPress security plugins like Wordfence, Sucuri, or Patchstack, which can detect malicious activity, XSS attacks, SQL injections, and other potential threats in real time.
  1. Review User Permissions:
  • Limit user roles and permissions on your WordPress site. Ensure that only trusted users have administrative or higher-level privileges, reducing the risk of privilege escalation attacks.
  1. Review Logs and Alerts:
  • Monitor your server logs for suspicious activity, such as unusual requests, login attempts, or file uploads, which could indicate exploitation attempts.
  • Set up alerts for key actions like plugin modifications, file uploads, and user account changes.