Four Million WordPress Sites Affected by a LiteSpeed Cache 5.6 XSS Vulnerability

The Wordpress plugin: Litespeed Cache Version 5.7 was affected by an XSS vulnerability. As the most used cache plugin, it is estimated that over 4 million sites are vulnerable. The vulnerability was discovered on August 14th, 2023 and affects all WordFence customers as well. The patch was released on October 10th, 2023 but many are unaware of the vulnerability.

The plugin is vulnerable to Stored Cross-Site Scripting (Stored XSS) via the ‘esi’ shortcode in versions up to, and including, 5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

This is of particular importance for those who have not upgraded their versions of WordPress, as older versions of WordPress contained a vulnerability that allowed shortcodes from unauthenticated commenters to be rendered in certain configurations. This makes it possible for an unauthenticated attacker to exploit this Cross-Site Scripting (XSS) vulnerability on these older vulnerable versions. WordPress version 6.2.2 or later, has been patched to prevent this.

Schedule a demo with us to see how Glassportal’s context-driven vulnerability management solution can help you stay ahead of the curve: demo@glassportal.io