The vulnerability, which was addressed in October 2023 with the release of version 5.7.0.1, could enable malicious actors to steal sensitive information
Security researchers have found a critical vulnerability in the LiteSpeed Cache plugin for WordPress, putting over five million installations at risk. Tracked as CVE-2023-40000, the flaw allows unauthenticated users to exploit a site-wide stored cross-site scripting (XSS) vulnerability, potentially leading to privilege escalation within WordPress sites.
The vulnerability, which was addressed in October 2023 with the release of version 5.7.0.1, could enable malicious actors to steal sensitive information and gain elevated privileges through a single HTTP request. Patchstack researcher Rafie Muhammad emphasised the severity of the issue, highlighting the potential for unauthorised users to compromise WordPress sites.
LiteSpeed Cache is a popular plugin used to enhance site performance, making the vulnerability particularly concerning for millions of WordPress users. Despite the patch released in October, the plugin remained susceptible to exploitation until the release of version 6.1 on February 5, 2024.
This disclosure comes just four months after another XSS flaw (CVE-2023-4372, CVSS score: 6.4) was revealed in the same plugin by Wordfence. The previous vulnerability, addressed in version 5.7, allowed authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts into pages, which would execute whenever a user accessed the affected page.
Security experts urge LiteSpeed Cache users to update their plugins to the latest version (6.1) immediately to mitigate the risk of exploitation. Failure to do so could leave WordPress sites vulnerable to malicious attacks, potentially resulting in unauthorised access and data compromise.
