4 Million WordPress Sites Affected by Stored Cross-Site Scripting Vulnerability in LightSpeed Cache
On August 14, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in LiteSpeed Cache plugin, which is actively installed on more than 4,000,000 WordPress websites, making it the most popular cache plugin. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.
We contacted The LiteSpeed Cache Team on August 14, 2023, and we received a response on the same day. After providing full disclosure details, the developer team made a patch on August 16, 2023, and released it to the WordPress repository on October 10, 2023. We would like to commend the LiteSpeed Technologies for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of LiteSpeed Cache, version 5.7 at the time of this writing, as soon as possible.
Description:LiteSpeed Cache <= 5.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Plugin: LiteSpeed Cache
Plugin Slug: litespeed-cache
Affected Versions: <= 5.6
CVE ID: CVE-2023-4372
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: <= 5.7
The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘esi’ shortcode in versions up to, and including, 5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The LiteSpeed Cache is a site acceleration plugin with server-level cache and optimization. It provides a shortcode ([esi]) that can be used to cache blocks with Edge Side Includes technology when added to a WordPress page, if ESI was previously enabled in the settings.
Unfortunately, insecure implementation of the plugin’s shortcode functionality allows for the injection of arbitrary web scripts into these pages. Examining the vulnerable code reveals that the shortcode method in the ESI class does not adequately sanitize the user-supplied ‘cache’ input, and then fails to escape the ‘control’ output derived from the ‘cache’ parameter when it builds the ESI block. This makes it possible to inject attribute-based Cross-Site Scripting payloads via the ‘cache’ attribute.
This makes it possible for threat actors to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page. While this vulnerability does require that a trusted contributor account is compromised, or a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.