Skip to content Skip to footer

A vulnerability in the WordPress LiteSpeed Plugin has put 5 million websites in danger.

LiteSpeed Cache is a popular plugin for that is used to improve website performance. However, a security has been discovered in this plugin that could allow unauthorized users to gain escalated privileges on a site. This , tracked as CVE-2023-40000, allows an unauthenticated user to perform a single HTTP request that could lead to privilege escalation on the WordPress site.

The issue was discovered by Patchstack researcher Rafie Muhammad, who found that the plugin suffers from unauthenticated site-wide stored cross-site scripting . The was addressed in October 2023 with the release of version 5.7.0.1.

The is caused by a lack of input sanitization and output escaping in a function named update_cdn_status(). Since the XSS payload is placed as an admin notice that could be displayed on any wp-admin endpoint, this could be triggered by any user with access to the wp-admin area. It's worth noting that LiteSpeed Cache has over five million installations, and the latest version of the plugin is 6.1, which was released on February 5, 2024.

This disclosure comes four months after Wordfence revealed another XSS flaw in the same plugin (CVE-2023-4372, CVSS score: 6.4) due to insufficient input sanitization and output escaping on user-supplied attributes. This allowed authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that would execute whenever a user accessed an injected page, according to István Márton.

Suppose you're using the LiteSpeed Cache plugin for WordPress. In that case, it's highly recommended to update to the latest version as soon as possible to mitigate the risk of any potential security .

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

You take the blue pill... the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill... you stay in Wonderland, and I show you how deep the rabbit hole goesMorpheus

Deitasoft © 2024. All Rights Reserved.