Imechapishwa: Feb 29, 2024 15:45
Advisory No: TZCERT/SA/2024/02/29
Source: securityaffairs
Software Affected:
Advisory No: TZCERT/SA/2024/02/29
Date of First Release: 28th February 2024
Source: securityaffairs
Software Affected:
Overview:
LiteSpeed Cache plugin for WordPress is affected by a vulnerability tracked as CVE-2023-40000 which allows unauthenticated site-wide stored XSS. Remote attacker can exploit the vulnerability to steal sensitive information or gain escalated privilege on the WordPress site.
Description:
The plugin LiteSpeed Cache (free version), a popular caching plugin in WordPress with over 4 million active installations is vulnerable due to the way it handles input from the user as it does not sanitize and escape the output. The vulnerability resides in the function ‘update_cdn_status’; where it stems from the construction of an HTML value directly from the POST body parameter for the admin notice message. Successful exploitation of this vulnerability allows unauthenticated stored XSS resulting in to stealing of sensitive information or privilege escalation on the WordPress site with a single HTTP request
Impact:
Successful exploitation of this vulnerability may allow the remote attacker to gain access to sensitive information.
Solution:
WordPress has released security update to resolve this vulnerability. Users and administrations are encouraged to update as soon as possible.
References:
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.