Wordpress plug-in: Another serious security vulnerability in Litespeed Cache
A serious vulnerability in the Wordpress plug-in Litespeed Cache lurks on more than six million websites. An update is available.
The Wordpress plug-in Litespeed Cache is extremely popular. It has more than six million active installations and is used for website acceleration and optimization. Due to a serious vulnerability in the plug-in – which third parties can exploit within a short time –, the websites equipped with it are at risk.
An article by the IT security company Patchstack discusses the vulnerability. According to the article, it is a so-called stored cross-site scripting vulnerability that allows unauthenticated attackers to access sensitive information and extend their rights on the WordPress website – with a single HTTP request. In the vulnerability summary, the IT researchers write that this allows attackers to inject malicious scripts such as redirectors, advertisements and other HTML code that are executed when guests visit the site (CVE-2024-47374, CVSS 7.1, risk"high").
Wordpress plug-in: Updated software
The vulnerability affects Litespeed Cache up to and including version 6.5.0.2. The updated version Litespeed Cache 6.5.1, which seals the vulnerability, has been available for a week. Admins of WordPress instances with the vulnerable plug-in should install this or newer versions immediately. The IT analysts at Patchstack believe it is very likely that the vulnerability will soon be exploited in the wild.
This is already the third risky vulnerability in Litespeed Cache since the end of August that puts the numerous Wordpress instances equipped with it at risk. In August, a vulnerability classified as critical allowed attackers from the web to register an administrative user without prior authentication and then completely take over the WordPress instance (CVE-2024-28000, CVSS 9.8, risk critical). In September, patchstack researchers discovered that the debug feature logs all HTTP requests with the session cookies. Attackers could use this to gain admin rights (CVE-2024-44000).
(dmk)