WordPress LiteSpeed Plugin Vulnerability Puts 5 Million Sites at Risk
Feb 27, 2024
Vulnerability / Website Security
A security vulnerability has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable unauthenticated users to escalate their privileges. Tracked as CVE-2023-40000 , the vulnerability was addressed in October 2023 in version 5.7.0.1. "This plugin suffers from unauthenticated site-wide stored [cross-site scripting] vulnerability and could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request," Patchstack researcher Rafie Muhammad said . LiteSpeed Cache , which is used to improve site performance, has more than five million installations. The latest version of the plugin is 6.1, which was released on February 5, 2024. The WordPress security company said CVE-2023-40000 is the result of a lack of user input sanitization and escaping output . The vulnerability is rooted in a function named update_cdn_status() and can be reproduced in a defa...