LiteSpeed Cache Security Patches

LiteSpeed Cache for WordPress Security Patches

Last year, we were made aware of two distinct vulnerabilities in the LiteSpeed Cache for WordPress plugin. We patched these vulnerabilities right away, in v5.7 and v5.7.0.1 respectively.

To protect your WordPress sites, please update to the latest version of the LSCache plugin immediately. (As of this writing, the latest version is v6.1.)

If you’d like to know more about these vulnerabilities and their impact, read on.

Stored XSS vulnerability

The first issue, reported by the WordFence team, was a stored cross-site scripting vulnerability that could be exploited by authenticated users via the ESI shortcode functionality. Users with contributor-level and above permissions could potentially inject arbitrary web scripts into pages via the ESI shortcode. These scripts would have been executed whenever a user requested the page.

Impact

Only a small portion of our four million users would have been affected by this vulnerability: those that have ESI enabled, and also have authenticated users with permissions at the Contributor level or higher. ESI is disabled by default.

We recommend those impacted sites upgrade to the plugin version 5.7 or higher to patch this vulnerability.

Timeline

August 14, 2023: WordFence alerted us to the issue.
August 16, 2023: We made a patch and made it available to power users and testers as a GitHub commit
October 10, 2023: We released v5.7 to the WordPress repository
October 24, 2023: We added v5.7 to the list of stable releases in our control panel plugins

Broken Access Control vulnerability

The second issue, reported by the Patchstack team, was a broken access control vulnerability that could be exploited by unauthenticated users via the LSCWP API. Attackers could use certain API functions to access attachment URLs and details, and also change the nameserver configuration.

Impact

Because the vulnerability could be triggered by unauthenticated users, all four million installations would have been affected.

We recommend that every site should upgrade to the plugin version 5.7.0.1 or higher to patch this vulnerability.

Timeline

October 17, 2023: Patchstack alerted us to the issue.
October 19, 2023: We made a patch and made it available to power users and testers as a GitHub commit
October 25, 2023: We released v5.7.0.1 to the WordPress repository
October 26, 2023: We added v5.7.0.1 to the list of stable releases in our control panel plugins

More Information

We thank WordFence and Patchstack for bringing these issues to our attention. We have long since patched both vulnerabilities, so if you are keeping your LiteSpeed Cache plugin up-to-date, there is nothing you need to do. If you have not updated in a while, we strongly recommend doing so today.

See the WordFence disclosure
See the Patchstack disclosure

Tags: wordpress

Categories:Featured Posts , LSCache , Security

Comments

eh April 12th, 2024
although I have removed and then installed the latest version of LiteSpeed Cache, I still see the warning banner about vulnerabilities of this plugin!
- Lisa Clarke April 15th, 2024
  I’ll let the team know. In the meantime, does it go away if you dismiss the message?
Detsje Holtrop April 10th, 2024
Dag,
Hoe upgrade ik versie 6.1 op mijn website. Ik krijg de melding dat dit noodzakelijk is.
- Lisa Clarke April 10th, 2024
  Hello. You can upgrade LiteSpeed Cache the same way that you upgrade every other plugin on your website. It’s no different. The easiest way is to go to Dashboard > Updates > Plugins and upgrade it from there.
Amy March 21st, 2024
So I updated my version to the new version you’re citing, but I’m still getting the same banner message saying I need to upgrade. Any thoughts on what I should do to fix this?
- Lisa Clarke March 22nd, 2024
  It doesn’t go away after you dismiss it? That’s odd. Please open a ticket via email to support@quic.cloud so the team can have a look.