Writing on its blog, the Wordfence threat intelligence team said it had responsibly disclosed a cross-site scripting (XSS) vulnerability in the LiteSpeed ​​Cache plugin, a popular add-on that is installed on more than 4 million WordPress websites. The vulnerability allowed hackers with contributor privileges to inject malicious scripts using shortcodes.

LiteSpeed ​​Cache is a plugin that speeds up WordPress websites with caching and server-level optimization. This plugin provides a shortcode that can be used to cache blocks using Edge Side technology when added to WordPress.

However, Wordfence said the plugin’s implementation of the shortcode was insecure, allowing arbitrary scripts to be inserted into these pages. An examination of the vulnerable code revealed that the shortcode method did not adequately check inputs and outputs. This allowed the threat actor to perform XSS attacks. Once inserted into a page or post, the script would execute every time a user visited it.

While the vulnerability requires a compromised contributor account or a user to register as a contributor, Wordfence says an attacker could steal sensitive information, manipulate website content, attack administrators, edit files, or redirect visitors to malicious websites.

Wordfence said it contacted the LiteSpeed ​​Cache development team on August 14. The patch was deployed on August 16 and released to WordPress on October 10. Users now need to update LiteSpeed ​​Cache to version 5.7 to fully fix this security flaw. Although dangerous, the built-in Cross-Site Scripting protection feature of the Wordfence firewall helped prevent this exploit.