WordPress Cache Plugin Vulnerability May Allow Site Takeover

By | 2024-10-07

A security flaw in the WordPress LiteSpeed Cache plugin (CVE-2024-47374, CVSS 7.2) has been discovered, potentially allowing attackers to take control of websites by injecting malicious JavaScript through a stored cross-site scripting (XSS) vulnerability. This affects plugin versions up to 6.5.0.2, which powers over six million sites.

The vulnerability occurs when the “CSS Combine” and “Generate UCSS” settings are enabled. Attackers can exploit the issue by injecting code through the “X-LSCACHE-VARY-VALUE” HTTP header. This could lead to a complete site takeover if the compromised account belongs to a site administrator. The flaw was fixed in version 6.5.1, released on September 25, 2024.

In addition, another vulnerability (CVE-2024-44000, CVSS 7.5) was patched earlier in September. This bug allowed unauthorized users to access sensitive cookie data, leading to possible account takeovers. It was fixed in version 6.5.0.1.

Site administrators are advised to update the plugin immediately to mitigate these risks.

Author: dwirch

Derek Wirch is a seasoned IT professional with an impressive career dating back to 1986. He brings a wealth of knowledge and hands-on experience that is invaluable to those embarking on their journey in the tech industry.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.