Property Abroad
Blog
XSS threat in the LiteSpeed Cache plugin on WordPress: millions of sites at risk.

XSS threat in the LiteSpeed Cache plugin on WordPress: millions of sites at risk.

XSS threat in the LiteSpeed Cache plugin on WordPress: millions of sites at risk.

A study published by Patchstack has found an XSS vulnerability in the LiteSpeed Cache plugin for WordPress under the identifier CVE-2023-40000. The vulnerability is related to the ability to store data on a website in the form of XSS code without requiring user authentication. This means that an attacker can use this vulnerability to steal sensitive information or escalate their privileges on a WordPress site with just a single HTTP request. The LiteSpeed Cache plugin (free version) is a popular cache plugin for WordPress and has over 4 million active installations.

The vulnerability is related to the 'update_cdn_status' function as it uses input from the user without sufficient filtering and secure processing.

Recommended News
Recommended real estate
Patchstack recommends sanitizing and escaping all messages that will appear as warnings to the administrator, using the sanitize_text_field or esc_html functions to handle values outside of HTML attributes and the esc_attr function for values inside attributes. In addition, it is recommended to apply appropriate permission or authorization checks for registered REST API endpoints.

The vulnerability was fixed in version 5.7.0.1, released in October 2023. Developers have also added permission checking for the update_cdn_status function, restricting access to privileged users only. Users are advised to update the plugin to the latest version to fix the vulnerability.

Tags

Comment

Popular Posts

Subscribe to the newsletter from Hatamatata.ru!

I agree to the processing of personal data and confidentiality rules of Hatamatata