XSS flaw in LiteSpeed Cache plugin exposes millions of WordPress sites at risk

Researchers warn of an XSS vulnerability, tracked as CVE-2023-40000, in the LiteSpeed Cache plugin for WordPress

Patchstack researchers warn of an unauthenticated site-wide stored XSS vulnerability, tracked as CVE-2023-40000, that impacts the LiteSpeed Cache plugin for WordPress.

The plugin LiteSpeed Cache (free version) is a popular caching plugin in WordPress which has over 4 million active installations.

An unauthenticated user can exploit the vulnerability to steal sensitive information or escalate privileges on the WordPress site by performing a single HTTP request.

“This plugin suffers from unauthenticated site-wide stored XSS vulnerability and could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request.” read the advisory published by Patchstack.

“This vulnerability occurs because the code that handles input from the user doesn’t implement sanitization and output escaping. This case also combined with improper access control on one of the available REST API endpoints from the plugin. The described vulnerability was fixed in version 5.7.0.1 and assigned CVE-2023-40000.”

The vulnerability resides in the function ‘update_cdn_status.’ 

Because the vulnerability stems from constructing an HTML value directly from the POST body parameter for the admin notice message, it is possible to fix the issue by sanitizing user input through esc_html directly on the affected parameter. Furthermore, the vendor has implemented a permission check on the update_cdn_status function, incorporating hash validation to restrict access to the function exclusively to privileged users.

The vulnerability was solved with the release of version 5.7.0.1 in October 2023.

“We recommend applying escaping and sanitization to any message that will be displayed as an admin notice. Depending on the context of the data, we recommend using sanitize_text_field to sanitize value for HTML output (outside of HTML attribute) or esc_html. For escaping values inside of attributes, you can use the esc_attr function. We also recommend applying a proper permission or authorization check to the registered rest route endpoints.” concludes the post.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, LiteSpeed Cache plugin)