A critical security vulnerability has been revealed in the LiteSpeed Cache plugin for WordPress, allowing attackers to run arbitrary JavaScript code. This flaw, identified as CVE-2024-47374 with a CVSS score of 7.2, affects all versions up to 6.5.0.2. It was fixed in version 6.5.1 on September 25, 2024, after being responsibly disclosed by TaiYou from Patchstack.
The vulnerability is a stored cross-site scripting (XSS) flaw, enabling unauthorized users to execute malicious scripts on a targeted WordPress site. The issue arises from the plugin’s handling of HTTP header values, specifically the “X-LSCACHE-VARY-VALUE” parameter.
For the exploit to work, specific Page Optimization settings must be enabled. Stored XSS attacks, like this one, can have severe consequences, including data theft and privilege escalation.
WordPress plugins are frequently targeted by cybercriminals, as seen with the LiteSpeed Cache plugin’s large user base of over six million active installations. This incident occurred just a month after another security flaw (CVE-2024-44000) was addressed by the developers.
Other recent vulnerabilities in WordPress plugins like TI WooCommerce Wishlist and Jupiter X Core have also been disclosed, emphasizing the importance of timely security patching and updates.
