WordPress LiteSpeed Plugin Vulnerability Affects 4 Million Websites

WordPress LiteSpeed Plugin Vulnerability Affects 4 Million Websites

  • News
  • October 24, 2023
  • No Comment
  • 9

The favored LiteSpeed WordPress plugin patched a vulnerability that compromised over 4 million web sites, permitting hackers to add malicious scripts.

LiteSpeed was notified of the vulnerability two months in the past on August 14th and launched a patch in October.

Cross-Website Scripting (XSS) Vulnerability

Wordfence found a Cross-Website Scripting (XSS) vulnerability within the LiteSpeed plugin, the preferred WordPress caching plugin on the earth.

XSS vulnerabilities are typically a sort that takes benefit of an absence of a safety course of known as information sanitization and escaping.

Sanitization is a way that filters what sort of information may be uploaded through a official enter, like on a contact type.

Within the particular LiteSpeed vulnerability, the implementation of a shortcode performance allowed a malicious hacker to add scripts they in any other case wouldn’t be capable to had the right safety protocols of sanitization/escaping information been in place.

The WordPress developer web page describes the sanitization security practice:

“Untrusted information comes from many sources (customers, third occasion websites, even your personal database!) and all of it must be checked earlier than it’s used.

…Sanitizing enter is the method of securing/cleansing/filtering enter information.”

One other WordPress developer web page describes the advisable process of escaping data like this:

“Escaping output is the method of securing output information by stripping out undesirable information, like malformed HTML or script tags.

This course of helps safe your information previous to rendering it for the top consumer.”

This particular vulnerability requires that the hacker first get hold of contributor stage permissions so as to perform the assault, which makes finishing up the assault extra difficult than other forms of threats which can be unauthenticated (require no permission stage).

In line with Wordfence:

“This makes it doable for menace actors to hold out saved XSS assaults. As soon as a script is injected right into a web page or put up, it should execute every time a consumer accesses the affected web page.

Whereas this vulnerability does require {that a} trusted contributor account is compromised, or a consumer be capable to register as a contributor, profitable menace actors may steal delicate data, manipulate web site content material, inject administrative customers, edit information, or redirect customers to malicious web sites that are all extreme penalties.”

Which Variations of LiteSpeed Plugin Are Susceptible?

Variations 5.6 or much less of the LiteSpeed Cache plugin are susceptible to the XSS assault.

Customers of the LiteSpeed Cache are inspired to replace their plugin as quickly as doable to the newest model, 5.7 which was launched on October 10, 2023.

Learn the Wordfence bulletin on the LiteSpeed XSS vulnerability:

4 Million WordPress Sites affected by Stored Cross-Site Scripting Vulnerability in LiteSpeed Cache Plugin

Featured Picture by Shutterstock/Asier Romero

Source link

Related post

Use generative AI to make products stand out in search • Yoast

Use generative AI to make products stand out in…

Visibility on Google’s search outcomes could make or break a enterprise’s success. Generative synthetic intelligence (AI) has emerged as a precious…
Amaryllis Apartment With Club House in Delhi

Amaryllis Apartment With Club House in Delhi

Luxury apartments provide an ideal living environment. Offering amenities such as gyms and clubhouses to keep residents healthy, these homes can…
Google’s Search Ads Stir Controversy On Questionable Websites

Google’s Search Ads Stir Controversy On Questionable Websites

A current examine revealed by Adalytics reviews Google Search Companions advertisements appeared on content material that doesn’t adhere to its writer…