4 million Litespeed sites have XSS vulnerability wtf
- This topic is empty.
-
AuthorPosts
-
October 26, 2023 at 2:47 am #8620RebeccaGuestOctober 26, 2023 at 2:48 am #8621JordanGuest
In the specific LiteSpeed vulnerability, the implementation of a shortcode functionality allowed a malicious hacker to upload scripts they otherwise would not be able to had the proper security protocols of sanitization/escaping data been in place.
October 26, 2023 at 2:49 am #8622SarahGuestThat’s about the worst type of vulnerability you can have.
October 26, 2023 at 2:50 am #8623LoganGuestthis story makes no sense, Wordfence told them in August 2023 about this and they “released a patch” the next day, but why did it take until October 2023 before this patch was released on WordPress.org for the LS Cache plugin
“We contacted The LiteSpeed Cache Team on August 14, 2023, and we received a response on the same day. After providing full disclosure details, the developer team made a patch on August 16, 2023, and released it to the WordPress repository on October 10, 2023. We would like to commend the LiteSpeed Technologies for their prompt response and timely patch.”
October 26, 2023 at 2:52 am #8624EmmaGuestMaybe Litespeed lied about the patch to Wordfence. not sure how to fix it so just pretended to for a while?
October 26, 2023 at 2:52 am #8625BillyGuesta classic WordPress Christmas story! lol never ends….
October 26, 2023 at 2:54 am #8626DonnaGuestThey literally had the same XSS vulnerability in 2021:
https://wpscan.com/vulnerability/7f8b4275-7586-4e04-afd9-d12bdab6ba9b/
October 26, 2023 at 2:58 am #8627HannahGuestdon’t worry, the dumbasses who use the LS Cache plugin won’t even notice because they also have Elementor and Rank Math installed
impossible to know for sure which plugin caused their site to get hacked! 💯
October 26, 2023 at 1:25 pm #8638BillyGuestMaybe Litespeed lied about the patch to Wordfence. not sure how to fix it so just pretended to for a while?
It seems that the patch was committed to GitHub (but not released on wordpress.org) on August 16:
https://github.com/litespeedtech/lscache_wp/commit/95a407d9f192b37ac6cf96d2aa50f240e3e6b2d7
Bizarrely the patch contains several hundred lines of pointless whitespace changes, making it kind of hard to tell what was actually fixed…
October 27, 2023 at 12:54 am #8644GaryGueststrange indeed
November 8, 2023 at 7:13 am #8944SandraGuestApril 9, 2024 at 7:16 am #21453JacobGuestLitespeed flew too close to the sun……..
April 9, 2024 at 7:17 am #21454FrancesGuest -
AuthorPosts
- You must be logged in to reply to this topic.