More than five million WordPress sites could be compromised due to an unauthenticated site-wide cross-site scripting flaw in the LiteSpeed Cache plugin, tracked as CVE-2023-40000, which could be exploited to facilitate privilege escalation attacks, according to The Hacker News.
Inadequate user input sanitization and escaping output have caused the vulnerability, which has been addressed in an October update but could be abused through a single HTTP request, a report from Patchstack showed. "Since the XSS payload is placed as an admin notice and the admin notice could be displayed on any wp-admin endpoint, this vulnerability also could be easily triggered by any user that has access to the wp-admin area," said Patchstack researcher Rafie Muhammad. Such a vulnerability is the second XSS bug impacting the LiteSpeed Cache plugin after CVE-2023-4372 was reported by Wordfence researchers in August. Exploiting CVE-2023-4372 "makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page," noted Wordfence researcher Istvan Marton.
