close
November 2023 only! Join our Discord free of charge.
Slick­Stack
Lightning-fast WordPress on Nginx
search
menu
search

4 million Litespeed sites have XSS vulnerability wtf

  • This topic is empty.
Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • October 26, 2023 at 2:47 am #8620 Reply
    Rebecca
    Guest

    this crazy.

    https://www.searchenginejournal.com/wordpress-litespeed-plugin-vulnerability-affects-4-million-websites/499074/

    October 26, 2023 at 2:48 am #8621 Reply
    Jordan
    Guest

    In the specific LiteSpeed vulnerability, the implementation of a shortcode functionality allowed a malicious hacker to upload scripts they otherwise would not be able to had the proper security protocols of sanitization/escaping data been in place.

    October 26, 2023 at 2:49 am #8622 Reply
    Sarah
    Guest

    That’s about the worst type of vulnerability you can have.

    October 26, 2023 at 2:50 am #8623 Reply
    Logan
    Guest

    this story makes no sense, Wordfence told them in August 2023 about this and they “released a patch” the next day, but why did it take until October 2023 before this patch was released on WordPress.org for the LS Cache plugin

    4 Million WordPress Sites affected by Stored Cross-Site Scripting Vulnerability in LiteSpeed Cache Plugin

    “We contacted The LiteSpeed Cache Team on August 14, 2023, and we received a response on the same day. After providing full disclosure details, the developer team made a patch on August 16, 2023, and released it to the WordPress repository on October 10, 2023. We would like to commend the LiteSpeed Technologies for their prompt response and timely patch.”

    October 26, 2023 at 2:52 am #8624 Reply
    Emma
    Guest

    Maybe Litespeed lied about the patch to Wordfence. not sure how to fix it so just pretended to for a while?

    October 26, 2023 at 2:52 am #8625 Reply
    Billy
    Guest

    a classic WordPress Christmas story! lol never ends….

    October 26, 2023 at 2:54 am #8626 Reply
    Donna
    Guest

    They literally had the same XSS vulnerability in 2021:

    https://wpscan.com/vulnerability/7f8b4275-7586-4e04-afd9-d12bdab6ba9b/

    October 26, 2023 at 2:58 am #8627 Reply
    Hannah
    Guest

    don’t worry, the dumbasses who use the LS Cache plugin won’t even notice because they also have Elementor and Rank Math installed

    impossible to know for sure which plugin caused their site to get hacked! 💯

    October 26, 2023 at 1:25 pm #8638 Reply
    Billy
    Guest

    Maybe Litespeed lied about the patch to Wordfence. not sure how to fix it so just pretended to for a while?

    It seems that the patch was committed to GitHub (but not released on wordpress.org) on August 16:

    https://github.com/litespeedtech/lscache_wp/commit/95a407d9f192b37ac6cf96d2aa50f240e3e6b2d7

    Bizarrely the patch contains several hundred lines of pointless whitespace changes, making it kind of hard to tell what was actually fixed…

    October 27, 2023 at 12:54 am #8644 Reply
    Gary
    Guest

    strange indeed

    November 8, 2023 at 7:13 am #8944 Reply
    Sandra
    Guest

    why did SlickStack blacklist Rank Math SEO

  • Author
    Posts
Viewing 11 posts - 1 through 11 (of 11 total)
Reply To: 4 million Litespeed sites have XSS vulnerability wtf

Thanks to our generous sponsors for their support!