LiteSpeed Cache 5.7 Patches XSS Vulnerability 

The LiteSpeed Cache plugin, used on more than four million WordPress sites, has patched an XSS vulnerability in version 5.7. The plugin provides all-in-one site acceleration capabilities, server-level caching, and a collection of optimization features. It is compatible with WordPress multisite, and popular plugins like WooCommerce, bbPress, and Yoast SEO, which may contribute to its popularity.

Wordfence security researcher István Márton discovered the XSS vulnerability and responsibly disclosed it to the LiteSpeed Cache Team on August 14, 2023. The Wordfence advisory describes how the vulnerability might make it possible for an attacker to inject malicious scripts:

The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘esi’ shortcode in versions up to, and including, 5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Márton also cautioned that previous versions of WordPress contained a vulnerability that allowed shortcodes supplied by unauthenticated commenters to be rendered in certain configurations. All versions since WordPress 5.9 were subject to this vulnerability and if users aren’t on a patched version of WordPress, the vulnerability would “make it possible for unauthenticated attackers to exploit this Cross-Site Scripting vulnerability on vulnerable installations.”

LiteSpeed Cache patched the vulnerability in version 5.7, released to on October 10. Although the update has been available for two weeks, only 30% of the plugin’s user base is running the latest version.

LiteSpeed Cache users are recommended to update to the latest patched version as soon as possible. Check out the advisory from Wordfence for more details and a full technical analysis.


3 responses to “LiteSpeed Cache 5.7 Patches XSS Vulnerability ”

  1. Some facts.
    1.) Patched by the LiteSpeed on August 16, 2023.
    2.) October 10, 2023 released on the WordPress repository.
    3.) ZERO hacked sites.

    The exploit is an extremely rare edge case that affected no sites on the Internet using LiteSpeed Cache plugin.

    This is the reason why I love the WordPress ecosystem. Always proactive, developers out there trying to exploit scripts for holes, and then notifying plugin developers about the issue.

    These web dev are the real heros in preventing WordPress exploits.

    • This is a minor vulnerability, which shouldn’t have been covered by the WP Tavern when they ignore more news worthy security issues. But to say that it affected no websites doesn’t seem accurate.

      Also, it’s hardly proactive for the developer to have released a fix two months after being notified.

      The approach you are advocating, which doesn’t involve plugin developers actually doing security due diligence, but instead requires others to find vulnerabilities, frequently produces really bad outcomes. There was recently a situation where a hacker found a serious vulnerability in a plugin with 200,000+ installs and exploited it.

      Right now, most vulnerabilities are found by security providers looking for press coverage or hackers. Considering that, among other issues, security providers, other than us, often fail to even make sure the vulnerabilities they disclosed have actually been fixed, the result of this approach is continued insecurity and hacked websites.

      With that exploited vulnerability and the one discussed in this post, they could have been caught earlier if the developer had done a security review of the plugin or gotten someone else to do one. Getting more security reviews done would be the proactive approach here, but it currently isn’t happening.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.