CVE-2024-3246
📋 TL;DR
The LiteSpeed Cache WordPress plugin has a Cross-Site Request Forgery vulnerability that allows attackers to trick administrators into clicking malicious links, which can then update plugin settings and inject malicious JavaScript. This affects all WordPress sites using LiteSpeed Cache version 6.2.0.1 or earlier. Attackers can potentially compromise site visitors through injected scripts.
💻 Affected Systems
- LiteSpeed Cache WordPress Plugin
📦 What is this software?
Litespeed Cache by Litespeedtech
⚠️ Risk & Real-World Impact
Worst Case
Site administrator clicks malicious link, allowing attacker to inject persistent JavaScript that compromises all site visitors through credential theft, malware distribution, or site defacement.
Likely Case
Attacker creates convincing phishing campaign targeting WordPress administrators, successfully injects malicious scripts that steal session cookies or redirect users to malicious sites.
If Mitigated
With proper CSRF protections and user awareness, administrators avoid clicking suspicious links, limiting exploitation attempts.
🎯 Exploit Status
Exploitation requires social engineering to trick administrators but uses standard CSRF techniques. No authentication required for the forged request itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.2.0.2 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3123399/litespeed-cache/trunk/src/cloud.cls.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find LiteSpeed Cache and click 'Update Now'. 4. Verify version is 6.2.0.2 or higher.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable LiteSpeed Cache plugin until patched
wp plugin deactivate litespeed-cache
Add CSRF Protection Manually
allAdd nonce verification to affected endpoints via custom code
Requires PHP development expertise - not recommended for non-developers
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Use WordPress security plugins with CSRF protection and monitor for suspicious admin actions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > LiteSpeed Cache > View version details. If version is 6.2.0.1 or lower, you are vulnerable.Check Version:
wp plugin get litespeed-cache --field=versionVerify Fix Applied:
After updating, verify version shows 6.2.0.2 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unexpected POST requests to /wp-admin/admin-ajax.php with action=litespeed_token_save
- Multiple failed CSRF token validations in WordPress debug logs
Network Indicators:
- Unusual outbound connections from WordPress site after administrator visits external links
- Suspicious referrer headers in admin area requests
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "litespeed_token_save" AND NOT "nonce"🔗 References
- https://plugins.trac.wordpress.org/changeset/3123399/litespeed-cache/trunk/src/cloud.cls.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8036bd83-9af5-4b71-8974-9b0690ea6769?source=cve
- https://plugins.trac.wordpress.org/changeset/3123399/litespeed-cache/trunk/src/cloud.cls.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8036bd83-9af5-4b71-8974-9b0690ea6769?source=cve
