A security vulnerability has been uncovered in the LiteSpeed Cache plugin for WordPress, potentially allowing unauthenticated users to escalate their privileges. Tracked as CVE-2023-40000, the vulnerability was addressed in version 5.7.0.1 released in October 2023.
Patchstack researcher Rafie Muhammad highlighted that the plugin is susceptible to an unauthenticated site-wide stored cross-site scripting (XSS) vulnerability. This flaw could enable unauthorized users to steal sensitive information and potentially escalate privileges on WordPress sites with a single HTTP request.
LiteSpeed Cache, a popular plugin used to enhance site performance, boasts over five million installations. Despite the patch, the latest version of the plugin stands at 6.1, released on February 5, 2024.
According to Patchstack, the vulnerability stems from a lack of user input sanitization and escaping output within the update_cdn_status() function, which can be exploited in a default installation. Muhammad emphasized that the XSS payload is inserted as an admin notice, making it accessible on any wp-admin endpoint and easily triggered by users with access to the wp-admin area.
This disclosure follows Wordfence’s revelation of another XSS flaw (CVE-2023-4372, CVSS score: 6.4) in the same plugin, reported four months earlier. The previous vulnerability, addressed in version 5.7, allowed authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts into pages, executing whenever a user accessed an affected page.