CVE-2023-40000

Name of the Vulnerable Software and Affected Versions LiteSpeed Cache versions prior to 5.7.0.1

Description The issue is related to improper neutralization of input during web page generation, also known as cross-site scripting (XSS). This vulnerability allows stored XSS attacks, which can lead to unauthorized access to sensitive information and privilege escalation. The estimated number of potentially affected devices worldwide is over 5 million, as the LiteSpeed Cache plugin is widely used in WordPress sites. There have been reports of real-world incidents where this issue was exploited, resulting in the creation of rogue admin accounts on susceptible websites. The vulnerability can be exploited by sending specially crafted HTTP requests, allowing unauthenticated users to gain access to protected information or elevate their privileges.

Recommendations Update LiteSpeed Cache to version 5.7.0.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality until a patch is applied. Avoid using the vulnerable plugin until the issue is resolved. Update to version 6.1 to stay protected, as recommended by some sources. Consider disabling the plugin or restricting its use until the issue is fixed.