LiteSpeed Cache Security Patches

February 28th, 2024 by LSCache , Security 14 Comments

LiteSpeed Cache for WordPress Security Patches

Last year, we were made aware of two distinct vulnerabilities in the LiteSpeed Cache for WordPress plugin. We patched these vulnerabilities right away, in v5.7 and v5.7.0.1 respectively.

To protect your WordPress sites, please update to the latest version of the LSCache plugin immediately. (As of this writing, the latest version is v6.1.)

If you’d like to know more about these vulnerabilities and their impact, read on.

Stored XSS vulnerability

The first issue, reported by the WordFence team, was a stored cross-site scripting vulnerability that could be exploited by authenticated users via the ESI shortcode functionality. Users with contributor-level and above permissions could potentially inject arbitrary web scripts into pages via the ESI shortcode. These scripts would have been executed whenever a user requested the page.

Impact

Only a small portion of our four million users would have been affected by this vulnerability: those that have ESI enabled, and also have authenticated users with permissions at the Contributor level or higher. ESI is disabled by default.

We recommend those impacted sites upgrade to the plugin version 5.7 or higher to patch this vulnerability.

Timeline

  • August 14, 2023: WordFence alerted us to the issue.
  • August 16, 2023: We made a patch and made it available to power users and testers as a GitHub commit
  • October 10, 2023: We released v5.7 to the WordPress repository
  • October 24, 2023: We added v5.7 to the list of stable releases in our control panel plugins

Broken Access Control vulnerability

The second issue, reported by the Patchstack team, was a broken access control vulnerability that could be exploited by unauthenticated users via the LSCWP API. Attackers could use certain API functions to access attachment URLs and details, and also change the nameserver configuration.

Impact

Because the vulnerability could be triggered by unauthenticated users, all four million installations would have been affected.

We recommend that every site should upgrade to the plugin version 5.7.0.1 or higher to patch this vulnerability.

Timeline

  • October 17, 2023: Patchstack alerted us to the issue.
  • October 19, 2023: We made a patch and made it available to power users and testers as a GitHub commit
  • October 25, 2023: We released v5.7.0.1 to the WordPress repository
  • October 26, 2023: We added v5.7.0.1 to the list of stable releases in our control panel plugins

More Information

We thank WordFence and Patchstack for bringing these issues to our attention. We have long since patched both vulnerabilities, so if you are keeping your LiteSpeed Cache plugin up-to-date, there is nothing you need to do. If you have not updated in a while, we strongly recommend doing so today.


Tags:
Categories:LSCache , Security

Related Posts


Comments