WordPress LiteSpeed Cache Plugin Security Flaw Exposes Sites to XSS Attacks

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

WordPress LiteSpeed Cache Plugin Security Flaw Exposes Sites to XSS Attacks

Information:

WordPress is the leading website creation tool worldwide, powering over half of the web’s content. This open-source content management system (CMS) is versatile and easy to use, making it an ideal choice for users of all skill levels. LiteSpeed Cache for WordPress (LSCWP) is an all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection of optimization features.

Container escape is a security risk in which malicious players can leverage a containerized application’s vulnerabilities to breach its isolation boundary, gaining access to the host system’s resources.

Incident :

A new high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable malicious actors to execute arbitrary JavaScript code under certain conditions.

The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-LSCACHE-VARY-VALUE' header in all versions up to, and including, 6.5.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires the CSS Combine and Generate UCSS settings to be enabled.

Also called persistent XSS attacks, such vulnerabilities make it possible to store an injected script permanently on the target website's servers, such as in a database, in a message forum, in a visitor log, or in a comment.

This causes the malicious code embedded within the script to be executed every time an unsuspecting site visitor lands on the requested resource, for instance, the web page containing the specially crafted comment.

This issue affects LiteSpeed Cache:

WordPress LiteSpeed Cache Plugin Version 6.5.0.2

Impacted users are recommended to upgrade :

Update to WordPress LiteSpeed Cache Plugin version 6.5.1 or later to remove the vulnerability. Patch stack users can turn on auto-update for vulnerable plugins only.

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)

References :

Weekly Interesting CVE

NO.	CVE Name	Published Date	Last Update	Device/Appplication/OS Target	Attack Type	CVSS Severity Rating	Detail	Solution	Reference
1	CVE-2024-34331	23/9/2024	29/9/2024	Parallels Desktop Versions 19.3.0 and below.	Incorrect Execution-Assigned Permissions	9.8	A lack of code signature verification in Parallels Desktop for Mac v19.3.0 and below allows attackers to escalate privileges via a crafted macOS installer, because Parallels Service is setuid root.	No mitigation known.	https://vuldb.com/?id.278294
2	CVE-2024-42505	24/9/2024	24/9/2024	HPE Aruba OS Versions 19.3.0 and below.	Command injection	9.8	Command injection vulnerabilities in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system.	No mitigation known.	https://vuldb.com/?id.278407
3	CVE-2024-7018	23/9/2024	26/9/2024	Google Chrome prior to 124.0.6367.78	Heap buffer overflow	8.8	Heap buffer overflow in PDF in Google Chrome prior to 124.0.6367.78 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: Medium)	Upgrade chromium to version 124.0.6367.78 or higher.	https://nvd.nist.gov/vuln/detail/CVE-2024-7018
4	CVE-2024-6769	26/9/2024	30/9/2024	Microsoft Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022	DLL Hijacking	8.4	A DLL Hijacking caused by drive remapping combined with a poisoning of the activation cache allows a malicious authenticated attacker to elevate from a medium integrity process to a high integrity process without the intervention of a UAC prompt.	No mitigation known.	https://www.globalsecuritymag.fr/microsoft-vulnerability-cve-2024-6769-now-public-on-fortra-com.html
5	CVE-2024-7479	09/25/2024	09/26/2024	TeamViewer Remote Clients prior version 15.58.4 for Windows	Previlege Escalation	8.8	Improper verification of cryptographic signature during installation of a VPN driver via the TeamViewer_service.exe component of TeamViewer Remote Clients prior version 15.58.4 for Windows allows an attacker with local unprivileged access on a Windows system to elevate their privileges and install drivers.	Update to the latest version (15.58.4 or the latest version available)	https://www.teamviewer.com/th/resources/trust-center/security-bulletins/tv-2024-1006/?

Malware News or Campaign IOC/IOA | EN

No	Campaign Name	Detection Date	Attack Type	Description	Mitigation/Remediation
1	New Cryptojacking Attack Targets Docker API to Create Malicious Swarm Botnet	01/10/2024	Cryptojacking, Botnet	Attackers are exploiting vulnerable, exposed Docker API endpoints to create botnets using Docker Swarm's orchestration features. The attack initiates by scanning the internet for exposed Docker API endpoints using tools like masscan and ZGrab. After gaining access, the attackers deploy an Alpine container that runs a malicious script (init.sh) to install a cryptocurrency miner (XMRig) and laterally spread across Docker, Kubernetes, and SSH systems. The malware propagates by exploiting ports associated with Docker services and compromising SSH keys and other credentials. The attack aims to hide the miner using a rootkit and maintain persistence through backdoors, creating a decentralized botnet	Ensure Docker API endpoints are authenticated and not publicly exposed. Isolate critical Docker and Kubernetes infrastructure from internet exposure. Update all software to prevent vulnerabilities from being exploited.

Campaign Name

Detection Date

Attack

Type

Description

Mitigation/Remediation

New Cryptojacking Attack Targets Docker API to Create Malicious Swarm Botnet

01/10/2024

Cryptojacking,

Botnet

Attackers are exploiting vulnerable, exposed Docker API endpoints to create botnets using Docker Swarm's orchestration features. The attack initiates by scanning the internet for exposed Docker API endpoints using tools like masscan and ZGrab. After gaining access, the attackers deploy an Alpine container that runs a malicious script (init.sh) to install a cryptocurrency miner (XMRig) and laterally spread across Docker, Kubernetes, and SSH systems. The malware propagates by exploiting ports associated with Docker services and compromising SSH keys and other credentials. The attack aims to hide the miner using a rootkit and maintain persistence through backdoors, creating a decentralized botnet

Ensure Docker API endpoints are authenticated and not publicly exposed.
Isolate critical Docker and Kubernetes infrastructure from internet exposure.
Update all software to prevent vulnerabilities from being exploited.

Ref: https://thehackernews.com/2024/10/new-cryptojacking-attack-targets-docker.html

11 October 2024

Viewed 116 time

WordPress LiteSpeed Cache Plugin Security Flaw Exposes Sites to XSS Attacks

WordPress LiteSpeed Cache Plugin Security Flaw Exposes Sites to XSS Attacks

INET MANAGED SERVICES CO., LTD.

Sales Department