Thankfully, Patchstack (the creator of the plug-in) has taken care of it within a day.
A popular WordPress caching plug-in called Litespeed Cache has a cross-site scripting flaw (XSS). It's an old and popular flaw in which the attacker injects malicious codes into a legitimate website to execute malicious scripts that will affect the person visiting the page.
The vulnerability which is being tracked as CVE-2024-47374, was discovered by a security researcher who goes by the name "TaiYou." On September 24, he reported it to Patchstack through the Patchstack Bug Bounty Program for WordPress.
As of now, it only affects the 6.5.0.2 version of Litespeed so users are recommended to upgrade as soon as possible to avoid the vulnerability.
TaiYou also reported two other flaws - another XSS and a path-traversal vulnerability - in addition to the CVE-2024-47374. However, only the first flaw is considered a threat and exploitable.
On CVEdetails.com, CVE-2024-47374 is said to be creating "Improper Neutralization of Input During Web Page Generation."
In simple terms, the product fails to neutralize the user-controllable inputs before placing it in the output being used as a web page for other users. In some cases, even if it does neutralize, it's done incorrectly.
This happens because the piece of code handling the view of a queue in Vary Group (a functionality that combines "cache varies" and "user roles") doesn't apply output escaping and sanitization. Why? Because this functionality doesn't need them. But unfortunately, this non-requirement is causing the issue.
Considering that more than 6 million people use the Litespeed Cache plug-in, this issue needed a timely fix and Patchstack didn't disappoint.
The patch applied is pretty simple. It sanitizes the output with the help of esc_html. In addition to the fix, the company has also applied a virtual patch to block all attacks until the customers upgrade to the fixed version.
Furthermore, if WordPress site developers want extra protection against the flaw, they should apply sanitizing and escaping to messages that are displayed as admin notices.
Last but not least, site developers are advised to deploy an extra layer of security to the registered rest route endpoints in the form of an authorization check to protect the site from an XSS vulnerability.