Tech Support
Documentation
Login
Contact Us
5M WordPress Websites At Risk Amid LiteSpeed Plugin Flaw
Wajahat Raja
March 14, 2024 - TuxCare expert team
A highly sensitive flaw has been identified in the LiteSpeed plugin of WordPress, which has put as many as 5 million websites at risk. Uncovered by the cybersecurity experts at Patchstack, the LiteSpeed plugin flaw is a great risk to WordPress site security because it potentially allows unauthorized personnel to access sensitive information.
This revelation comes just a couple of months after WordPress released a critical code execution update to enhance the security of its websites. The LiteSpeed plugin flaw, which has been identified as CVE 2023-40000, empowers cybersecurity threat actors to perform privilege escalation on a WordPress site and steal any information of their choice, that too by sending just a single HTTP request.
In this article, we will go into the depth of this LiteSpeed plugin security issue and see what WordPress security measures have been taken in this regard.
Background of the LiteSpeed Cache Plugin
LiteSpeed plugin, which is a website acceleration plugin, is one of the most popular coaching plugins in WordPress. It features a number of different optimization features for WordPress websites and a server-level cache. Not only this, the plugin is compatible with other plugins as well, such as WooCommerce.
LiteSpeed Plugin Flaw Attack Details
This LiteSpeed plugin flaw is identified by an unauthorized site-wide stored cross-site scripting (XSS) problem, which was also found in Zimbra Collaboration email software a few months ago. The main reason behind this LiteSpeed plugin security vulnerability is linked to the lack of input sanitization by users.
Escaping output has also been attributed to this LiteSpeed plugin flaw, particularly within the update_cdn_status(). The admin notice feature is being used to insert the cross-site scripting (XSS) payload. The LiteSpeed plugin flaw can be triggered by any user who has access to the wp-admin.
This is because the admin notices can appear on any wp-admin endpoint. Furthermore, through the default installation of the LiteSpeed plugin, this WordPress security vulnerability can be reproduced.
A similar XSS flaw has been reported earlier as well by WordPress. Coincidently, that LiteSpeed plugin flaw, which was termed as CVE-2023-4372, was also because of the lack of user input sanitization and output escaping. The previous LiteSpeed vulnerability was addressed in patch version 5.7.
LiteSpeed Plugin Security Patch
Ever since the LiteSpeed plugin flaw has been discovered, the developers of LiteSpeed Cache have released a patch advising the users to update their plugins to 5.7.0.1 or a later version. The patch has been released so potential hackers are prevented from accessing sensitive information of WordPress users.
The plugin vendor constructed an HTML value directly from the POST body parameter as well as added a permission check on update_cdn_status. The 5.7.0.1 patch has been available since October 2023 with the latest version of the LiteSpeed plugin security patch being 6.1, which was released on February 5, 2024.
Conclusion
Cybersecurity threats have increased manifolds in recent years, and threat actors are always on the lookout for security vulnerabilities of different platforms. WordPress, being one of the leading website builders, is always the hackers’ target.
This is because the cybersecurity threat actors want to steal sensitive information from users to run their malicious campaigns. This warrants secure and highly fortified patching solutions so vulnerabilities such as the LiteSpeed plugin flaw do not appear again.
The sources for this piece include articles in The Hacker News and TechRadar.
