Over 4 million WordPress sites are affected by the popular LiteSpeed caching plugin’s fixed XSS vulnerability.
The vulnerability that was fixed by the well-known LiteSpeed WordPress plugin, allowing hackers to upload malicious code. It was reported to LiteSpeed on August 14th, two months prior, and a patch was made available in October.
Vulnerability for Cross-Site Scripting (XSS)
The most well-liked WordPress cache plugin in the world, LiteSpeed, has an XSS vulnerability that Wordfence found.
The majority of XSS vulnerabilities prey on a security procedure called data sanitization and escaping’s absence.
Sanitization is a method that limits the types of files that are permitted to be uploaded through a valid input, such as a contact form.
A hostile hacker was able to upload scripts using the LiteSpeed vulnerability due to the shortcode capability that was implemented, which they would not have been able to do without the correct security procedures of data sanitization/escaping.
This particular vulnerability makes carrying out the attack more difficult than other types of threats that are unauthenticated (need no permission level), as the hacker must first get contributor level permissions.
Which LiteSpeed Plugin Versions Are Vulnerable?
The LiteSpeed Cache plugin is vulnerable to an XSS attack if it is version 5.6 or earlier.
Users of LiteSpeed Cache are urged to update to the most recent version, 5.7, which was released on October 10, 2023, as soon as feasible.
To learn more about the LiteSpeed XSS vulnerability, read at Wordfence bulletin.