The LiteSpeed Cache plugin, used on more than four million WordPress sites, has patched an XSS vulnerability in version 5.7.
Their team reacted very promptly to the issue originally discovered by Wordfence.
Note: We advise updating the plugin on all of your websites as soon as possible to mitigate any risk associated with the vulnerability that has now been patched.
Wordfence security researcher István Márton originally discovered the XSS vulnerability and responsibly disclosed it to the LiteSpeed Cache Team on August 14, 2023. The Wordfence advisory describes how the vulnerability might make it possible for an attacker to inject malicious scripts:
The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘esi’ shortcode in versions up to, and including, 5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Thank you for heads up and everyone (hope I am not stealing the thread), please also note that recent WordPress core vulnerability enabled ANY unauthenticated attacker to execute shortcodes.
Why is this relevant to this CVE?
Because this vulnerability for LiteSpeed has XSS attack vector in the “ESI” (Edge Side Includes) shortcode, which originally requires contributor and above level to execute successfully (for this particular vulnerability), …
however, due to the recent WP core vulnerability, even lower level privileged users can do this now (on unpatched WordPress core versions).
That makes this CVE all the worse.
Fingers crossed and happy patching everyone!
This plugin has a built in auto-updater (that you need to enable in settings). I get the severity of this issue, but to me a vulnerability of a plugin that has already been updated and patched earlier is far less newsworthy than a zero-day. Wordfence also use issues like this for good publicity and in this case are “taking the credit” for finding this issue.
Don’t get me wrong, I am not against security… but if we got excited about every security issue that was fixed in a plugin each time there was an update we’d have no free time on our day to do anything.
I do agree with this - as much as I love WordFence, sometimes I sense they do use a little bit of a “fear marketing”, although it is not as obnoxious as some others (“Better get our highest paid tier to be safe!”). Also agree that if we just scanned CVEs, server logs, newly blocked IPs all day, we would not get anything done.
Still I commend both WF and RC for getting this info outside, as OLS is used by lot of folks who are not as well versed in cybersecurity as eg. brad and other smart folks here are…
… and yes, we might argue if people who don´t follow security tightly should really maintain mission critical sites - like the one agency on a fellow forum few years ago who have asked how to manage about 250 sites they have in their roster - they did not even know about backups, updates and such!
But I hate to admit I was one of those guys once and am glad for gradually being led into much more security-conscious user (and sometimes not so gradually, via painful mistakes and hacked sites!).
Anyway, talking too much - thanks @brad for pointing out the auto-updater for others!
I imagine most WP sites, like mine, do not have random users who could be hackers as authenticated users anyway, which for me lowers its severity a lot. I would be more worried about having the hacker as an authenticated user. If that is a high level user they could do plenty of damage without this vulnerability. My two cents
I agree, however please note that it has not been made clear in this case if the needed “Subscriber” role has the same needed privileges as WooCommerce “Customer” role (they are very similar).
That would mean that any WooCo instance with open registrations (basically most of the shops, right?) would enable this. Also it is not uncommon for customers to have notoriously weak “pa$$w0rds” - there all that is needed is breached account of an existing customer.
But I agree that we don´t need scaremongering… merely noting that it is not always clear what exactly is the limit and scope of CVE (which is sometimes deliberate, to prevent trivial weaponizing ).
