According to Wordfence, site administrators using WordPress should update the LiteSpeed Cache version immediately to avoid being exploited.
Writing on its blog, Wordfence’s threat intelligence team said it has responsibly disclosed a cross-site scripting (XSS) vulnerability in the LiteSpeed Cache plugin. This is a famous add-on that has been installed on more than 4 million WordPress websites. This vulnerability allows hackers with permission from collaborators to inject malicious scripts using shortcodes.
LiteSpeed Cache is a plugin that speeds up WordPress websites with caching and server-level optimization support. This plugin provides a shortcode that can be used to store blocks using Edge Side technology when added to WordPress
However, Wordfence says the plugin’s shortcode implementation is insecure, allowing arbitrary scripts to be inserted into these pages. Testing the vulnerable code shows that the shortcode method does not sufficiently check inputs and outputs. This makes it possible for threat actors to perform XSS attacks. When included in a page or post, the script will execute every time a user visits.
Although this vulnerability requires a contributor account to be compromised or a user to be able to register as a contributor, Wordfence said an attacker could steal sensitive information, manipulate website content, and administrators, edit files, or redirect visitors to malicious websites.
Wordfence said it contacted the LiteSpeed Cache development team on August 14. The patch was deployed on August 16 and released to WordPress on October 10, users now need to update LiteSpeed Cache to version 5.7 to completely fix this security error. Although dangerous, the Wordfence firewall’s built-in Cross-Site Scripting protection helps prevent this exploit
