A security flaw in the WordPress LiteSpeed Cache plugin (CVE-2024-47374, CVSS 7.2) has been discovered, potentially allowing attackers to take control of websites by injecting malicious JavaScript through a stored cross-site scripting (XSS) vulnerability. This affects plugin versions up to 6.5.0.2, which powers over six million sites.
The vulnerability occurs when the “CSS Combine” and “Generate UCSS” settings are enabled. Attackers can exploit the issue by injecting code through the “X-LSCACHE-VARY-VALUE” HTTP header. This could lead to a complete site takeover if the compromised account belongs to a site administrator. The flaw was fixed in version 6.5.1, released on September 25, 2024.
In addition, another vulnerability (CVE-2024-44000, CVSS 7.5) was patched earlier in September. This bug allowed unauthorized users to access sensitive cookie data, leading to possible account takeovers. It was fixed in version 6.5.0.1.
Site administrators are advised to update the plugin immediately to mitigate these risks.