Security flaw puts 4 million WordPress websites at risk.

Writing on their blog, Wordfence's threat intelligence team announced they were responsible for disclosing a cross-site code injection (XSS) vulnerability in the LiteSpeed ​​Cache plugin. This popular add-on has been installed on over 4 million WordPress websites. This security vulnerability allows hackers with contributor privileges to inject malicious scripts using shortcodes.

LiteSpeed ​​Cache is a WordPress website speed-up plugin that uses caching and supports server-level optimization. This add-on provides a shortcode that can be used to cache blocks using Edge Side technology when added to WordPress.

However, Wordfence stated that the plugin's shortcode implementation is insecure, allowing the injection of arbitrary scripts into these pages. A vulnerability check revealed that the shortcode method does not adequately validate input and output. This allows threat actors to carry out XSS attacks. Once embedded in a page or post, the script executes every time a user accesses it.

Although this vulnerability requires the contributor's account to be compromised or the user to register as a contributor, Wordfence says attackers could steal sensitive information, manipulate website content, attack administrators, edit files, or redirect visitors to malicious websites.

Wordfence stated that it contacted the LiteSpeed ​​Cache development team on August 14th. The patch was deployed on August 16th and released to WordPress on October 10th. Users now need to update LiteSpeed ​​Cache to version 5.7 to completely fix this security vulnerability. Although dangerous, Wordfence's built-in Cross-Site Scripting protection helped prevent this exploit.