WordPress LiteSpeed Cache plugin is vulnerable to cross-site scripting vulnerability that may lead to privilege escalation. CVE-2023-40000 may allow an unauthenticated user to steal sensitive information and elevate their privilege on the WordPress site by performing a single HTTP request.
LiteSpeed Cache for WordPress (LSCWP) is a free, open-source plugin that improves site performance using the LiteSpeed web server’s built-in page cache. It works by storing a copy of website content for future requests, which reduces the number of requests the server must process and makes web pages faster. LSCWP supports WordPress Multisite and is compatible with the most popular plugins, including WooCommerce, bbPress, and Yoast SEO. According to WordPress, the plugin has more than five million active installations.
Vulnerability Description
This vulnerability arises from the lack of output escaping and sanitization in the code that processes user input. Inappropriate access control on one of the plugin’s accessible REST API endpoints was also present in this instance.
The vulnerability resides in the function update_cdn_status called from the cdn_status function. The cdn_status is confirmed as a function handler for the litespeed/v1/cdn_status REST API endpoint.
The endpoint is secured by is_from_cloud, configured to check the user’s permissions for accessing the specified endpoint when passed as a permission_callback argument. It turns out that any user can access the endpoint without authentication, as this method only returns true.
One of the condition sets in the update_cdn_status function may trigger the Admin_Display::error() function with unsanitized $_POST[ ‘result’ ][ ‘_msg’ ] parameter supplied as the input parameter. The Admin_Display::error() is a wrapper function to display an admin notice. The notice can be a message to display information, alerts, and messages to users inside of wp-admin area.
Any user with access to the wp-admin area may also easily trigger this vulnerability because the XSS payload is disguised as an admin notification, which could be shown on any wp-admin endpoint.
Affected Versions
The vulnerability affects LiteSpeed Cache plugin versions before 5.7.0.1.
Mitigation
Customers are requested to upgrade to the LiteSpeed Cache plugin version 5.7.0.1 or later to mitigate the vulnerability. For more information about the mitigation, please refer to WordPress Security Advisory.
Qualys Detection
Qualys customers can scan their devices with QID 731216 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.