A security vulnerability has been discovered in the LiteSpeed Cache plugin for WordPress that could allow unauthenticated users to escalate their privileges.
Tracked as CVE-2023-40000the vulnerability was fixed in October 2023 in version 5.7.0.1.
“This plugin suffers from unauthenticated files stored throughout the site [cross-site scripting] vulnerability and could allow any unauthenticated user to steal sensitive information to, in this case, privilege escalation on the WordPress site by making a single HTTP request,” said Rafie Muhammad, researcher at Patchstack.
LiteSpeed Cache, used to improve site performance, has more than five million installs. The latest plugin version 6.1, released on February 5, 2024.
The WordPress security company said that CVE-2023-40000 is the result of lack of sanitization of user input and output escaping. The vulnerability is rooted in a function called update_cdn_status() and can be reproduced in a default installation.
“Since the XSS payload is injected as an admin alert, and the admin alert could be displayed on any wp-admin endpoint, this vulnerability could also easily be triggered by any user who has access to the wp-admin area,” he said Muhammad.
The disclosure comes four months after Wordfence revealed another XSS flaw in the same plugin (CVE-2023-4372, CVSS score: 6.4) due to insufficient input sanitization and output escaping on attributes provided by the user. It was fixed in version 5.7.
“This makes it possible for authenticated attackers with contributor-level and higher permissions to inject arbitrary web scripts into pages that will be executed whenever a user accesses an inserted page,” said István Márton.