WordPress Plugin Vulnerability Report – LiteSpeed Cache – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode – CVE-2023-4372
Plugin Name: LiteSpeed Cache
Key Information:
- Software Type: Plugin
- Software Slug: litespeed-Cache
- Software Status: Active
- Software Author: litespeedtech
- Software Downloads: 52m564,430
- Active Installs: 4,000,000
- Last Updated: October 23, 2023
- Patched Versions: 5.7
- Affected Versions: <=5.6
Vulnerability Details:
- Name: LiteSpeed Cache <= 5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
- Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE: CVE-2023-4372
- CVSS Score: 6.4 (Medium)
- Publicly Published: October 23, 2023
- Researcher: Lana Codes
- Description: The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'esi' shortcode in versions up to, and including, 5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Summary:
The LiteSpeed Cache for WordPress has a vulnerability in versions up to and including 5.6 that allows authenticated users with contributor access or higher to inject arbitrary JavaScript payloads into pages that will execute when visited by other users. This vulnerability has been patched in version 5.7.
Detailed Overview:
On October 23, 2023 researcher Lana Codes publicly disclosed an authenticated stored cross-site scripting vulnerability in the LiteSpeed Cache WordPress plugin. This vulnerability is caused by insufficient sanitization of user input and output escaping of the shortcode attribute in the ESI shortcode. By inserting malicious scripts into the shortcode, a contributor user or higher could store the payload in the page content. When visitors load a compromised page, the malicious script would then execute in their browser with the privileges of their user account on the site. This could be leveraged for actions like session hijacking, site defacement, phishing and more. All versions up to and including 5.6 are affected. Users are urged to update to version 5.7 or higher as soon as possible to mitigate this vulnerability.
Advice for Users:
- Immediate Action: Update to LiteSpeed Cache version 5.7 as soon as possible.
- Check for Signs of Compromise: Review page content for unauthorized code snippets added by users. Particularly check use of the ESI shortcode.
- Alternate Plugins: Consider alternative cache plugins like WP Rocket, WP Fastest Cache as a precaution.
- Stay Updated: Always keep plugins updated to avoid potential vulnerabilities.
Conclusion:
This vulnerability demonstrates the importance of secure coding practices like input validation and output escaping. The quick response by LiteSpeed to issue a patch is encouraging. All users should update as soon as possible to LiteSpeed Cache version 5.7 or later.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/litespeed-cache
Detailed Report:
Keeping your WordPress website secure requires constant vigilance - new threats emerge daily. Unfortunately, a dangerous vulnerability was recently disclosed in a very popular WordPress plugin, underscoring the need to keep everything updated.
The LiteSpeed Cache plugin, with over 4 million active installs, is susceptible to a stored cross-site scripting vulnerability impacting versions up to and including 5.6. This issue allows users with contributor access or higher to inject malicious JavaScript payloads into pages that will execute when visited by other users.
This is an alarming vulnerability that puts WordPress sites of all sizes at risk. A successful exploit could lead to account hijacking, data theft, defacement and more criminal activities. While a patch has been issued in version 5.7, many sites likely remain outdated and vulnerable.
About the LiteSpeed Cache Plugin
The LiteSpeed Cache plugin is a free caching plugin developed by LiteSpeed Technologies to enhance WordPress site performance. With over 52 million downloads and 4 million active installs, it is one of the most popular cache plugins available.
Details of the Vulnerability
On October 23, 2023, researcher Lana Codes publicly disclosed an authenticated stored cross-site scripting (XSS) vulnerability affecting LiteSpeed Cache versions up to and including 5.6.
The vulnerability allows users with contributor level access or higher to inject malicious JavaScript payloads into pages using the ESI shortcode. This happens because of insufficient input sanitization and output escaping of the shortcode attributes.
The payloads then get stored in the page content and execute in the browsers of visitors to the compromised pages. This grants the attacker significant powers like hijacking user sessions, stealing sensitive data, and defacing the site.
The vulnerability received a CVSS severity score of 6.4 out of 10, meaning it is a medium risk vulnerability.
Previous LiteSpeed Cache Vulnerabilities
Unfortunately, this is not the first vulnerability found in LiteSpeed Cache. There have been 4 previous vulnerabilities disclosed since December 2020, indicating systemic issues with secure code development practices.
How to Patch This Vulnerability
The good news is LiteSpeed Technologies has quickly released version 5.7 that correctly sanitizes input and escapes output to patch this vulnerability.
Users of LiteSpeed Cache are urged to update to version 5.7 immediately to mitigate any risk. You should also review page content for unauthorized code that may have been injected already. As a precaution, consider alternate cache plugins like WP Rocket or WP Fastest Cache.
Staying Secure Requires Constant Vigilance
This vulnerability clearly demonstrates how essential it is to stay on top of plugin and theme updates. New threats emerge continually. While vendors like LiteSpeed may patch issues, your site remains vulnerable until updated.
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.