WordPress is notorious for slow speeds if not properly optimized. So, WordPress users install various plugins to speed up their websites. LiteSpeed is one such popular plugin that is installed on millions of WordPress sites.

A global WordPress security agency, Wordfence, recently identified a critical XSS vulnerability that puts around 4,000,000 WordPress sites at risk. 

Discovery

On August 14, 2023, Wordfence's Threat Intelligence team identified a critical stored Cross-Site Scripting (XSS) vulnerability in the widely used LiteSpeed Cache plugin. This plugin is active on more than 4 million WordPress websites, making it the most popular cache plugin.

Impact

The vulnerability allows malicious actors with contributor-level permissions or higher to inject harmful web scripts into pages using the plugin's shortcode. This poses a significant security risk.

Responsible Disclosure

Wordfence promptly contacted the LiteSpeed Cache Team on the same day the vulnerability was discovered, leading to a swift response from the developer team. A patch was created on August 16, 2023, and released to the WordPress repository on October 10, 2023.

Action for Website Owners

Website owners are strongly advised to update their LiteSpeed Cache plugin to the latest patched version, which is version 5.7 as of the writing. This update is crucial to ensure the security of their websites.

A Better Alternative

Since WordPress users are always dependent on third-party plugins for most basic needs, it is a common problem to deal with every time. Instead, you can use a modern and secure blogging platform like Superblog for your blog. Superblog is auto-optimized for speed and SEO. Your blog remains super fast irrespective of how much traffic you get and how much content you post.