Researchers at Patchstack have issued a warning regarding an unauthenticated site-wide stored XSS vulnerability, identified as CVE-2023-40000, affecting the LiteSpeed Cache plugin for WordPress.
LiteSpeed Plugin Vulnerability
The LiteSpeed Cache plugin (free version) is a widely used caching tool for WordPress, boasting over 4 million active installations.
Tracked as CVE-2023-40000, the vulnerability was addressed in October 2023 in version 5.7.0.1.
An unauthenticated user could exploit this vulnerability to either pilfer sensitive information or elevate privileges on the WordPress site via a single HTTP request. Patchstack’s advisory highlighted that the plugin is afflicted by an unauthenticated site-wide stored XSS vulnerability, potentially enabling unauthorized users to execute such actions, including privilege escalation.
“This vulnerability arises due to the absence of input sanitization and output escaping in the user-input handling code. Additionally, improper access control is observed on one of the plugin’s REST API endpoints, exacerbating the situation.”
The vulnerability resides in the function ‘update_cdn_status.’
As the vulnerability originates from constructing an HTML value directly from the POST body parameter for the admin notice message, the issue can be resolved by sanitizing user input through esc_html directly on the affected parameter. Additionally, the vendor has addressed the matter by implementing a permission check on the update_cdn_status function, integrating hash validation to limit access exclusively to privileged users.
The post concludes by recommending the application of escaping and sanitization to any message intended for display as an admin notice. Depending on the context of the data, it suggests using sanitize_text_field for sanitizing values for HTML output (outside of HTML attributes) or esc_html. To escape values within attributes, the post advises using the esc_attr function. Furthermore, it emphasizes the importance of implementing proper permission or authorization checks for registered REST route endpoints.
Leave A Comment