The favored LiteSpeed WordPress plugin patched a vulnerability that compromised over 4 million web sites, permitting hackers to add malicious scripts.
LiteSpeed was notified of the vulnerability two months in the past on August 14th and launched a patch in October.
Cross-Web site Scripting (XSS) Vulnerability
Wordfence found a Cross-Web site Scripting (XSS) vulnerability within the LiteSpeed plugin, the most well-liked WordPress caching plugin on the earth.
XSS vulnerabilities are typically a sort that takes benefit of a scarcity of a safety course of referred to as knowledge sanitization and escaping.
Sanitization is a way that filters what sort of recordsdata will be uploaded through a reliable enter, like on a contact kind.
Within the particular LiteSpeed vulnerability, the implementation of a shortcode performance allowed a malicious hacker to add scripts they in any other case wouldn’t have the ability to had the right safety protocols of sanitization/escaping knowledge been in place.
The WordPress developer web page describes the sanitization security practice:
“Untrusted knowledge comes from many sources (customers, third social gathering websites, even your individual database!) and all of it must be checked earlier than it’s used.
…Sanitizing enter is the method of securing/cleansing/filtering enter knowledge.”
One other WordPress developer web page describes the really useful process of escaping data like this:
“Escaping output is the method of securing output knowledge by stripping out undesirable knowledge, like malformed HTML or script tags.
This course of helps safe your knowledge previous to rendering it for the tip consumer.”
This particular vulnerability requires that the hacker first receive contributor degree permissions with a view to perform the assault, which makes finishing up the assault extra sophisticated than different kinds of threats which might be unauthenticated (require no permission degree).
In keeping with Wordfence:
“This makes it potential for risk actors to hold out saved XSS assaults. As soon as a script is injected right into a web page or put up, it can execute every time a consumer accesses the affected web page.
Whereas this vulnerability does require {that a} trusted contributor account is compromised, or a consumer have the ability to register as a contributor, profitable risk actors might steal delicate info, manipulate web site content material, inject administrative customers, edit recordsdata, or redirect customers to malicious web sites that are all extreme penalties.”
Which Variations of LiteSpeed Plugin Are Weak?
Variations 5.6 or much less of the LiteSpeed Cache plugin are susceptible to the XSS assault.
Customers of the LiteSpeed Cache are inspired to replace their plugin as quickly as potential to the newest model, 5.7 which was launched on October 10, 2023.
Learn the Wordfence bulletin on the LiteSpeed XSS vulnerability:
Featured Picture by Shutterstock/Asier Romero
