Researchers from Patchstack have issued a warning regarding a critical XSS vulnerability, identified as CVE-2023-40000, affecting the widely-used LiteSpeed Cache plugin for WordPress. This unauthenticated site-wide stored XSS flaw, disclosed in an advisory, could enable malicious actors to pilfer sensitive data or elevate their privileges on affected WordPress sites through a single HTTP request. The vulnerability, which stems from inadequate input sanitization and output escaping, was addressed in version 5.7.0.1 of the plugin released in October 2023.
The vulnerability specifically resides within the ‘update_cdn_status’ function of the LiteSpeed Cache plugin, allowing attackers to exploit HTML construction directly from the POST body parameter for admin notice messages. To mitigate this issue, the vendor has implemented measures such as sanitizing user input using ‘esc_html’ and introducing permission checks on the ‘update_cdn_status’ function, limiting access to privileged users. These proactive steps were instrumental in resolving the vulnerability with the release of version 5.7.0.1, effectively safeguarding WordPress sites against potential exploitation.
In light of this security advisory, Patchstack emphasizes the importance of applying thorough escaping and sanitization measures to any admin notice messages displayed within WordPress. Additionally, they recommend utilizing appropriate permission and authorization checks on registered REST route endpoints to bolster overall security posture. By following these guidelines and promptly updating to the patched version of LiteSpeed Cache, WordPress site administrators can fortify their defenses against XSS vulnerabilities and mitigate the associated risks effectively
