LiteSpeed Blog / Products / LSCache / LSCWP Viewport Images Patch

LSCWP Viewport Images Patch

December 20th, 2024 by Featured Posts , LSCache , Security 1 Comments

Introduction

We have a security update for LiteSpeed Cache for WordPress. Recently we were made aware of a vulnerability in the LiteSpeed Cache for WordPress plugin. We patched this vulnerability in v6.5.3.

To protect your WordPress sites, please update to the latest version of the LSCache plugin immediately.

This Cross Site Scripting vulnerability, reported by the Patchstack team, has been assigned CVE-2024-51915.

Impact

This vulnerability affects those using the Viewport Images service, and having the following Page Optimization configuration:

  • Media Settings > Lazy Load Images must be ON
  • VPI > Viewport Images must be ON
  • Tuning > Optimize for Guests Only must be OFF

With all of these settings in place, the vulnerability may be exploited by a user with the Editor role. They must have permission to create a new post and set the LiteSpeed Options on that post, before they can inject JavaScript code through a DOM mutation.

Actions

We strongly recommend that every site upgrade to the plugin version 6.5.3 or higher to patch this vulnerability.

Timeline

  • November 07, 2024: Patchstack alerted us to the issue.
  • December 04, 2024: We patched the issue and released v6.5.3 to the WordPress repository
  • December 05, 2024: We added v6.5.3 to the list of stable releases in our control panel plugins

Conclusion

We thank Patchstack for bringing this issue to our attention. This vulnerability has been patched, so if you are keeping your LiteSpeed Cache plugin up-to-date, there is nothing you need to do. If you have not updated in a while, please do so today.

Tags:
Categories:Featured Posts , LSCache , Security

Related Posts

Comments