A widely used WordPress plugin has turned out to be vulnerable to a cross-site scripting attack that could allow hackers to steal sensitive information.
A WordPress plugin was found that allowed attackers to escalate their privileges
The vulnerability, discovered by security researchers, was reported to developers before publication. According to the news, the name of the plugin in question is LiteSpeed Cache. The plugin helps to increase and optimize website performance.
The plugin is actively used on more than four million websites, and it is even claimed to be 5 million. This vulnerability, defined as a site-wide stored XSS vulnerability, can be exploited by performing a single HTTP request and is currently tracked as CVE-2023-40000.
Researchers on the blog “This vulnerability occurs because the code processing input from the user does not implement output escaping. This was also coupled with improper access control on one of the plugin’s existing REST API endpoints.” They explained the deficit as follows:
After the vulnerability was discovered, the developers of LiteSpeed Cache also released a patch. Users active on these WordPress plugin sites are recommended to update their plugins to at least version 5.7.0.1.