Four million WordPress sites vulnerable to LiteSpeed ​​plugin flaw


Cybersecurity researchers have discovered a significant vulnerability in the LiteSpeed ​​Cache plugin for WordPress.

The vulnerability affects the LiteSpeed ​​Cache plugin, which has over 4 million active installations, and poses a risk of unauthenticated stored XSS (cross-site scripting) across the entire site. This could potentially allow unauthorized access to sensitive information or escalation of privilege on affected WordPress sites via a single HTTP request.

The flaw, discovered by the Patchstack team, stems from a lack of input sanitization and output escaping in the plugin’s code, combined with improper access control on one of its plugin endpoints. REST API. The issue was fixed in version of the plugin, which was assigned CVE-2023-40000. Specifically, the vulnerability resides in the update_cdn_status function, triggered by the cdn_status REST API endpoint, allowing unauthenticated users to exploit the flaw.

To mitigate the risk, users are advised to update their LiteSpeed ​​Cache plugin to the latest version. Additionally, developers are encouraged to implement appropriate input checking and output escaping in their code, particularly for data displayed in admin notifications. The provider has also implemented permission checking on the affected function to limit access to privileged users.

Despite the patch, the incident highlights the importance of proactive security measures in the development and maintenance of WordPress plugins, as vulnerabilities can have far-reaching consequences for website owners and users.

Read more about WordPress plugin vulnerabilities: Essential Addons plugin flaw exposes one million WordPress websites

The vulnerability was first discovered on October 17, 2023, leading to communication with the plugin vendor and the deployment of a vPatch rule to protect users. On October 25, the vendor released version of the LiteSpeed ​​Cache plugin to address reported issues. Finally, the vulnerabilities were added today to the Patchstack vulnerability database, leading to the public release of the safety notice.

Leave a comment