An XSS vulnerability has just been discovered in the LiteSpeed Cache WordPress plugin that allows an unauthenticated attacker to escalate privileges, steal sensitive information... by making a single HTTP request
The vulnerability is identified as CVE-2023-40000. Exists in version 5.7.01 released in October 2023. Experts say this XSS vulnerability exists in a notice for administrators and can appear in all administration interfaces. Therefore, anyone with access to the website administration interface (wp-admin) can exploit this vulnerability.
The LiteSpeed Cache plugin is used to improve website performance and currently has over 5 million installations. WordPress said the cause of the vulnerability was due to shortcomings in checking user input.
Administrators are recommended to update the LiteSpeed Cache plugin to the latest version, deploy a WAF firewall to prevent XSS attacks, and strictly manage user roles and permissions.