WordPress LiteSpeed Plugin Vulnerability Affects 4 Million Websites
- News
- October 24, 2023
- No Comment
- 9
The favored LiteSpeed WordPress plugin patched a vulnerability that compromised over 4 million web sites, permitting hackers to add malicious scripts.
LiteSpeed was notified of the vulnerability two months in the past on August 14th and launched a patch in October.
Cross-Website Scripting (XSS) Vulnerability
Wordfence found a Cross-Website Scripting (XSS) vulnerability within the LiteSpeed plugin, the preferred WordPress caching plugin on the earth.
XSS vulnerabilities are typically a sort that takes benefit of an absence of a safety course of known as information sanitization and escaping.
Sanitization is a way that filters what sort of information may be uploaded through a official enter, like on a contact type.
Within the particular LiteSpeed vulnerability, the implementation of a shortcode performance allowed a malicious hacker to add scripts they in any other case wouldn’t be capable to had the right safety protocols of sanitization/escaping information been in place.
The WordPress developer web page describes the sanitization security practice:
“Untrusted information comes from many sources (customers, third occasion websites, even your personal database!) and all of it must be checked earlier than it’s used.
…Sanitizing enter is the method of securing/cleansing/filtering enter information.”
One other WordPress developer web page describes the advisable process of escaping data like this:
“Escaping output is the method of securing output information by stripping out undesirable information, like malformed HTML or script tags.
This course of helps safe your information previous to rendering it for the top consumer.”
This particular vulnerability requires that the hacker first get hold of contributor stage permissions so as to perform the assault, which makes finishing up the assault extra difficult than other forms of threats which can be unauthenticated (require no permission stage).
In line with Wordfence:
“This makes it doable for menace actors to hold out saved XSS assaults. As soon as a script is injected right into a web page or put up, it should execute every time a consumer accesses the affected web page.
Whereas this vulnerability does require {that a} trusted contributor account is compromised, or a consumer be capable to register as a contributor, profitable menace actors may steal delicate data, manipulate web site content material, inject administrative customers, edit information, or redirect customers to malicious web sites that are all extreme penalties.”
Which Variations of LiteSpeed Plugin Are Susceptible?
Variations 5.6 or much less of the LiteSpeed Cache plugin are susceptible to the XSS assault.
Customers of the LiteSpeed Cache are inspired to replace their plugin as quickly as doable to the newest model, 5.7 which was launched on October 10, 2023.
Learn the Wordfence bulletin on the LiteSpeed XSS vulnerability:
Featured Picture by Shutterstock/Asier Romero
