WordPress sites with LiteSpeed Cache plugin instances impacted by the high-severity stored cross-site scripting flaw, tracked as CVE-2024-47374, could be compromised to facilitate arbitrary JavaScript code execution, reports The Hacker News.
Attackers who successfully activated "CSS Combine" and "Generate UCSS" within Page Optimization settings could leverage the vulnerability — which originates from the inadequate sanitization of a parsed HTTP header value — not only to exfiltrate sensitive data but also to elevate privileges and facilitate website takeovers for further compromise, according to an analysis from Patchstack.
Immediate patching has been advised for sites with LiteSpeed Cache plugin versions 6.5.0.2 and earlier.
This development comes weeks after updates were issued to remediate the high-severity LiteSpeed Cache plugin bug, tracked as CVE-2024-44000, which could be exploited for arbitrary account hijacking. Other critical WordPress plugin flaws have also been remediated recently, including one impacting the Jupiter X Core plugin, tracked as CVE-2024-7772, which could be used to achieve remote code execution.