WordPress Cache Plugin Vulnerability May Allow Site Takeover

A security flaw in the WordPress LiteSpeed Cache plugin (CVE-2024-47374, CVSS 7.2) has been discovered, potentially allowing attackers to take control of websites by injecting malicious JavaScript through a stored cross-site scripting (XSS) vulnerability. This affects plugin versions up to 6.5.0.2, which powers over six million sites.

The vulnerability occurs when the “CSS Combine” and “Generate UCSS” settings are enabled. Attackers can exploit the issue by injecting code through the “X-LSCACHE-VARY-VALUE” HTTP header. This could lead to a complete site takeover if the compromised account belongs to a site administrator. The flaw was fixed in version 6.5.1, released on September 25, 2024.

In addition, another vulnerability (CVE-2024-44000, CVSS 7.5) was patched earlier in September. This bug allowed unauthorized users to access sensitive cookie data, leading to possible account takeovers. It was fixed in version 6.5.0.1.

Site administrators are advised to update the plugin immediately to mitigate these risks.

About this post

Posted: 2024-10-07
By: dwirch
Viewed: 13 times

Categories

Security

Attachments

No attachments for this post

Comments

No comments have been added for this post.

You must be logged in to make a comment.