Either the admin increases productivity, or hackers increase privileges.
A flaw has been discovered in the LiteSpeed Cache plugin for WordPress that allows an attacker to increase their privileges. This was announced by Patchstack in a technical report.
The Stored XSS vulnerability allows any unauthorized user to steal confidential information to increase privileges on a WordPress site by making a single HTTP request. Vulnerability CVE-2023-40000 was fixed in October 2023 in version 5.7.0.1.
LiteSpeed Cache is used to improve site performance and has more than 5 million users. installations. The latest version of the plugin 6.1 was released on February 5, 2024.
It is noted that CVE-2023-40000 is the result of a lack of user input cleaning and output escaping. The vulnerability lies in the function "update_cdn_status ()" and can be reproduced during the default installation.
Since the XSS payload is hosted as an admin notification, and the admin notification can be displayed on any "wp-admin" endpoint, the error can easily be caused by anyone with access to the admin panel.
A flaw has been discovered in the LiteSpeed Cache plugin for WordPress that allows an attacker to increase their privileges. This was announced by Patchstack in a technical report.
The Stored XSS vulnerability allows any unauthorized user to steal confidential information to increase privileges on a WordPress site by making a single HTTP request. Vulnerability CVE-2023-40000 was fixed in October 2023 in version 5.7.0.1.
LiteSpeed Cache is used to improve site performance and has more than 5 million users. installations. The latest version of the plugin 6.1 was released on February 5, 2024.
It is noted that CVE-2023-40000 is the result of a lack of user input cleaning and output escaping. The vulnerability lies in the function "update_cdn_status ()" and can be reproduced during the default installation.
Since the XSS payload is hosted as an admin notification, and the admin notification can be displayed on any "wp-admin" endpoint, the error can easily be caused by anyone with access to the admin panel.
