(1 votes, average: 5.00 out of 5, rated)
Loading...LiteSpeed Plugin Vulnerability Endangers 5 Million Websites
(1 votes, average: 5.00 out of 5, rated)Loading...
Security experts have discovered a critical security vulnerability in the WordPress plugin LiteSpeed Cache, putting five million WordPress websites at risk.
A susceptible vulnerability has been found in the WordPress LiteSpeed plugin, leaving up to 5 million websites in jeopardy. Patchstack’s cybersecurity professionals identified the vulnerability, which poses an important threat to the security of WordPress websites since it could allow unauthorized individuals to access confidential data.
Only a few months have passed since WordPress improved website security with a critical code execution upgrade.
The LiteSpeed plugin vulnerability, designated as CVE 2023-40000, allows malicious individuals in the cybersecurity space to gain control of their privileges on a WordPress website and steal any data they want—all with a single HTTP request.
What is LiteSpeed Plugin Flaw Attack?
LiteSpeed is one of the most utilized WordPress caching plugins. It is primarily recognized as a plugin for website acceleration. It comes with a server-level cache and other optimization features for WordPress websites.
The primary cause of this security flaw in the LiteSpeed plugin is users’ failure to sanitize their input.
Another issue with the LiteSpeed plugin has been linked to escaping output, including in the update_cdn_status() function. Inserting the cross-site scripting (XSS) payload is done using the admin notice function. Anybody who has access to the wp-admin can activate the LiteSpeed plugin vulnerability.
This is because any WordPress admin endpoint can display admin notifications. Moreover, this WordPress security flaw may be replicated using the LiteSpeed plugin’s default installation.
Security Fix for LiteSpeed Plugin Vulnerability
The Patchstack team found the vulnerability, which is caused by the plugin’s code lacking output escaping and input sanitization and incorrect access control on one of its REST API endpoints.
Version 5.7.0.1 of the plugin addressed the vulnerability and was given the CVE-2023-40000 code. The vulnerability exists explicitly in the update_cdn_status function, which made it possible for unauthenticated users to exploit using the cdn_status REST API endpoint.
A fix has been made available to stop potential hackers from accessing WordPress users’ private data.
Countermeasures
To reduce the risk, users are recommended to update to the most recent version of the LiteSpeed Cache plugin. Furthermore, developers should include appropriate input sanitization and output escaping into their code, especially for data that gets displayed in admin notifications.
The vendor also included a permission check to prevent privileged users from accessing the impacted function.
Though the issue has been resolved, this incident shows the significance of proactive security measures in developing and maintaining WordPress plugins, as vulnerabilities can significantly impact users and website administrators.
Summary
Attackers are always searching for vulnerabilities in various platforms, and cybersecurity risks have multiplied in the last few years. Since WordPress is one of the most popular website builders, hackers regularly target it.
Cyberspace attackers attempt to get sensitive user data to launch their illegal and destructive activities. This ensures that vulnerabilities like the LiteSpeed plugin do not recur by providing secure and robust fixing solutions.
Professional WordPress Support Services at Certera.
With our WordPress support services, we will protect your website from security risks so you can be confident and relaxed. Our comprehensive approach to security includes every aspect, from monitoring website activity to identifying suspect code and preventing brute-force attacks.
