WordPress LiteSpeed Plugin Flaw Puts Millions of Sites at Risk
Cybersecurity researchers warned WordPress users of a security vulnerability found in one of its plugins – LightSpeed.
One of the most popular cache plugins to improve site performance, LightSpeed cache (free version) boasts active installations of over 4 million. The said vulnerability is an unauthenticated site-wide stored XSS (Cross Site Scripting), that allows unauthorized access to sensitive information.
Moreover, an attacker can also exploit the vulnerability to escalate privileges on the WordPress site with a single HTTP request.
Discovered by the Patchstack team of researchers, the flaw ‘’occurs because the code that handles input from the user doesn’t implement sanitization and output escaping. This case also combined with improper access control on one of the available REST API endpoints from the plugin,’’ the advisory described.
The flaw mainly resides in the function known as update_cdn_status, which is ‘’confirmed as a function handler’’ for LiteSpeed cdn_status REST API endpoint. When exploited, it allows any unauthenticated user access WordPress admin privileges.
‘Since the XSS payload is placed as an admin notice and the admin notice could be displayed on any wp-admin endpoint, this vulnerability also could be easily triggered by any user that has access to the wp-admin area,’’ the advisory detailed.
To prevent the risk associated with the vulnerability, Patchstack researchers advised WP users to update their LiteSpeed cache plugin to the latest version, 6.1 released in February 2024. It also advised developers to limit access to privileged users by implementing permission checks on the affected functions.
‘’We recommend applying escaping and sanitization to any message that will be displayed as an admin notice. Depending on the context of the data, we recommend using sanitize_text_field to sanitize value for HTML output (outside of HTML attribute) or esc_html,’’ the vendor continued.
First discovered on October 17, 2023, the vulnerability tracked as CVE-2023-40000, was fixed in version 5.7.0.1.
Leave a Comment
Cancel