Cybersecurity researchers have discovered a significant vulnerability in the LiteSpeed Cache plugin for WordPress.
The vulnerability affects the LiteSpeed Cache plugin, which boasts over 4 million active installations, and presents a risk of unauthenticated site-wide stored XSS (cross-site scripting). This could potentially allow unauthorized access to sensitive information or privilege escalation on affected WordPress sites via a single HTTP request.
The flaw, discovered by the Patchstack team, stems from a lack of input sanitization and output escaping in the plugin’s code, combined with improper access control on one of its REST API endpoints. The issue was addressed in version 5.7.0.1 of the plugin, which was assigned CVE-2023-40000. Specifically, the vulnerability resides in the update_cdn_status function, triggered by the cdn_status REST API endpoint, allowing unauthenticated users to exploit the flaw.
To mitigate the risk, users are advised to update their LiteSpeed Cache plugin to the latest version. Additionally, developers are encouraged to implement proper input sanitization and output escaping in their code, particularly for data displayed in admin notices. The vendor has also implemented a permission check on the affected function to limit access to privileged users.
Despite the patch, the incident underscores the importance of proactive security measures in the development and maintenance of WordPress plugins, as vulnerabilities can have far-reaching consequences for website owners and users.
The vulnerability was first discovered on October 17 2023, prompting communication with the plugin vendor and the deployment of a vPatch rule to protect users. On October 25, the vendor released version 5.7.0.1 of the LiteSpeed Cache plugin to address the reported issues. Finally, the vulnerabilities were added to the Patchstack vulnerability database today, leading to the public release of the security advisory.