An XSS flaw reported in WordPress LiteSpeed Cache Plugin
Take action: Although there are several preconditions for the vulnerability to be exploited, it just means you don't need to go into emergency mode. Stored XSS can be very nasty, and it's wise to update your LiteSpeed plugin, or just disable the CSS Combine and Generate UCSS settings. But better to patch, since it's very easy.
Learn More
An XSS security vulnerability has been discovered in the LiteSpeed Cache plugin for WordPress, affecting version 6.5.1 and earlier, with over 6 million active installations.
The flaw is tracked as CVE-2024-47374 (CVSS score: 7.1) and allows unauthenticated stored cross-site scripting (XSS) vulnerability. It enables attackers to inject malicious scripts into WordPress admin pages through a single HTTP request. Once injected, the code can execute when an administrator views the affected page, potentially leading to data theft or privilege escalation, granting the attacker complete control over the website.
The issue lies in the plugin's handling of Critical CSS (CCSS) and Unique CSS (UCSS) generation, where user-supplied input, particularly through HTTP headers in the “Vary Group” functionality, was not properly sanitized.
The vulnerability has been patched in LiteSpeed Cache version 6.5.1, and users are strongly urged to update to this version to prevent exploitation. If the users can't update, they should disable the CSS Combine and Generate UCSS settings.
