Application security, Vulnerability Management

XSS attacks possible with LiteSpeed Cache plugin vulnerability

Share
Today’s columnist, Sebastian Gierlinger of Storyblok, offers nine tips for integrating a content management system with an ecommerce platform. (Credit: Getty Images Stock Photo)

WordPress sites with LiteSpeed Cache plugin instances impacted by the high-severity stored cross-site scripting flaw, tracked as CVE-2024-47374, could be compromised to facilitate arbitrary JavaScript code execution, reports The Hacker News.

Attackers who successfully activated "CSS Combine" and "Generate UCSS" within Page Optimization settings could leverage the vulnerability — which originates from the inadequate sanitization of a parsed HTTP header value — not only to exfiltrate sensitive data but also to elevate privileges and facilitate website takeovers for further compromise, according to an analysis from Patchstack. Immediate patching has been advised for sites with LiteSpeed Cache plugin versions 6.5.0.2 and earlier. Such a development comes weeks after updates were issued to remediate the high-severity LiteSpeed Cache plugin bug, tracked as CVE-2024-44000, which could be exploited for arbitrary account hijacking. Other critical WordPress plugin flaws have also been remediated recently, including one impacting the Jupiter X Core plugin, tracked as CVE-2024-7772, which could be used to achieve remote code execution.

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.