A widely used WordPress plugin has been found to be vulnerable to a cross-site scripting attack that could allow hackers to steal sensitive information.
A WordPress plugin has been found that allows attackers to escalate privileges
The vulnerability, discovered by security researchers, was reported to developers before its release. According to the report, the plugin in question is called LiteSpeed Cache. The plugin is used to improve and optimize website performance.
The plugin is in active use on more than four million websites, and is claimed to be in use on 5 million. The vulnerability, described as a site-wide stored XSS vulnerability, can be exploited by making a single HTTP request and is currently tracked as CVE-2023-40000.
“This vulnerability arises because the code that processes input from the user does not implement output escaping. This is also coupled with improper access control on one of the plugin’s existing REST API endpoints,” the researchers wrote.
Following the discovery of the vulnerability, the developers of LiteSpeed Cache also released a patch. Users who have this WordPress plugin active on their sites are advised to update their plugin to at least version 5.7.0.1.
{{user}} {{datetime}}
{{text}}