More than five million WordPress sites could be compromised due to an unauthenticated site-wide cross-site scripting flaw in the LiteSpeed Cache plugin, tracked as CVE-2023-40000, which could be exploited to facilitate privilege escalation attacks, according to The Hacker News.
Inadequate user input sanitization and escaping output have caused the vulnerability, which has been addressed in an October update but could be abused through a single HTTP request, a report from Patchstack showed. “Since the XSS payload is placed as an admin notice and the admin notice could be displayed on any wp-admin endpoint, this vulnerability also could be easily triggered by any user that has access to the wp-admin area,” said Patchstack researcher Rafie Muhammad. Such a vulnerability is the second XSS bug impacting the LiteSpeed Cache plugin after CVE-2023-4372 was reported by Wordfence researchers in August. Exploiting CVE-2023-4372 “makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page,” noted Wordfence researcher Istvan Marton.
Karl Mattson
Here are three ways to build APIs that deliver the functionality and security modern organizations need.
Steve Zurier
Fastly says the bugs are prone to unauthenticated XXS attacks that let threat actors inject malicious scrips via WordPress plug-ins.
Laura French
GenAI, API and identity risks are key concerns, as well as conflicts between DevOps and SecOps.
By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.
Copyright © 2024 CyberRisk Alliance, LLC All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms of Use.