CVE-2024-47374: LiteSpeed Cache Plugin Flaw Threatens Millions of WordPress Sites

by do son · October 2, 2024

A significant security vulnerability has been discovered in the LiteSpeed Cache plugin for WordPress, a widely used tool with over 6 million active installations. The flaw is an unauthenticated stored cross-site scripting (XSS) vulnerability that could allow attackers to steal sensitive information or escalate privileges on a WordPress site through a single HTTP request. The vulnerability has been assigned CVE-2024-47374 (CVSS 7.1) and was patched in version 6.5.1 of the plugin.

LiteSpeed Cache is an all-in-one site acceleration plugin designed to optimize WordPress websites. It features an exclusive server-level cache and a suite of optimization tools, including support for WordPress Multisite and compatibility with popular plugins like WooCommerce, bbPress, and Yoast SEO. Its primary goal is to enhance website performance by reducing load times and improving user experience.

The vulnerability allows any unauthenticated user to inject malicious scripts into the site’s administrative pages. This form of stored XSS means that the malicious code is stored on the server and executed when an administrator views the affected page. The implications are severe, ranging from the theft of sensitive information to full privilege escalation, potentially giving an attacker complete control over the website.

The issue stems from insufficient input sanitization and output escaping in certain functions of the plugin. Specifically, the functions responsible for generating Critical CSS (CCSS) and Unique CSS (UCSS) queues fail to properly handle user-supplied input from HTTP headers. The “Vary Group” functionality, which combines cache varies and user roles, can be manipulated through an HTTP header without proper sanitization, leading to the injection of malicious code.

For the vulnerability to be exploitable, two settings in the LiteSpeed Cache plugin must be enabled:

CSS Combine: Located under Page Optimization, this setting combines multiple CSS files into one to reduce HTTP requests.
Generate UCSS: Also under Page Optimization, this feature generates unique CSS for each page, improving load times by removing unused styles.

If both settings are active, the plugin becomes susceptible to the stored XSS attack due to the flawed handling of the “Vary Group” input.

The vulnerability was discovered by Tai You, a researcher with the Patchstack Alliance, a community of security professionals focused on WordPress vulnerabilities. Upon identifying the flaw, Tai You responsibly reported it to the plugin developers, allowing them to address the issue promptly.

The developers of LiteSpeed Cache responded quickly to the report and released a patch in version 6.5.1 of the plugin. Users are strongly urged to update to this version or later to protect their websites from potential attacks exploiting CVE-2024-47374.