CVE-2023-4372: WordPress LiteSpeed Cache Plugin Flaw Exposes 4M Sites to XSS Attacks

On August 14, 2023, the Wordfence Threat Intelligence team discovered a critical stored Cross-Site Scripting (XSS) vulnerability in the LiteSpeed Cache plugin, one of the most popular WordPress cache plugins with over 4 million active installations. This vulnerability allows attackers with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.

LiteSpeed Cache, a prominent site acceleration plugin, enhances the speed of websites using its server-level cache and optimization features. It also boasts a unique shortcode – [esi] – that activates the Edge Side Includes (ESI) technology, optimizing caching for individual blocks on a WordPress page. However, the treasure came with a trap. A flaw in the shortcode’s implementation opened the door to malicious attacks, turning an optimization tool into a potential weapon.

Designated as CVE-2023-4372 and scoring a 6.4 on the CVSS scale, this vulnerability was no minor issue. The problem centered on the lack of sufficient security measures around the user-supplied ‘cache’ input in the ESI class. This oversight in sanitizing and escaping output meant that a simple shortcode could be exploited by cybercriminals to inject harmful web scripts.

But what does this vulnerability truly mean for the average WordPress user? In essence, a user with contributor-level permissions or higher could exploit this loophole to insert malicious scripts into WordPress pages. And each time an unsuspecting user accessed the tainted page, the script would spring to life, executing its malevolent code.

Stored Cross-Site Scripting (XSS) is a security vulnerability that allows attackers to inject malicious code into web pages. This code is then executed when a victim visits the affected page. Stored XSS vulnerabilities are particularly dangerous because they can be used to steal sensitive information, such as cookies and session tokens, or to redirect users to malicious websites.

Cyber attackers could hijack sensitive information, alter site content, add malicious administrative users, modify crucial files, or even divert users to harmful websites. All this havoc required just one compromised contributor account or the ability to register as one.

Upon discovering the CVE-2023-4372 vulnerability, Wordfence immediately began the responsible disclosure process, alerting the LiteSpeed Cache developer team. Acting with urgency, the developers designed a patch by August 16, 2023, and by October 10, the fixed version (5.7) was available in the WordPress repository.

The best way to protect yourself from the LiteSpeed Cache vulnerability is to update the plugin to the latest version (5.7 or higher).

Here are some additional tips for protecting yourself from XSS vulnerabilities:

• Keep your WordPress software and plugins up to date.
• Use a web application firewall (WAF) to filter out malicious traffic.
• Implement content security policy (CSP) to restrict the types of scripts that can be executed on your website.
• Use a security scanner to regularly scan your website for vulnerabilities.