- 칼럼 | AI 에이전트, 지금까지의 어떤 기술과도 다르다
- The $23 Echo Dot deal is a great deal to upgrade your smart home this Black Friday
- Amazon's Echo Spot smart alarm clock is almost half off this Black Friday
- The newest Echo Show 8 just hit its lowest price ever for Black Friday
- 기술 기업 노리는 북한의 가짜 IT 인력 캠페인··· 데이터 탈취도 주의해야
Four Million WordPress Sites Vulnerable to LiteSpeed Plugin Flaw
Cybersecurity researchers have discovered a significant vulnerability in the LiteSpeed Cache plugin for WordPress.
The vulnerability affects the LiteSpeed Cache plugin, which boasts over 4 million active installations, and presents a risk of unauthenticated site-wide stored XSS (cross-site scripting). This could potentially allow unauthorized access to sensitive information or privilege escalation on affected WordPress sites via a single HTTP request.
The flaw, discovered by the Patchstack team, stems from a lack of input sanitization and output escaping in the plugin’s code, combined with improper access control on one of its REST API endpoints. The issue was addressed in version 5.7.0.1 of the plugin, which was assigned CVE-2023-40000. Specifically, the vulnerability resides in the update_cdn_status function, triggered by the cdn_status REST API endpoint, allowing unauthenticated users to exploit the flaw.
To mitigate the risk, users are advised to update their LiteSpeed Cache plugin to the latest version. Additionally, developers are encouraged to implement proper input sanitization and output escaping in their code, particularly for data displayed in admin notices. The vendor has also implemented a permission check on the affected function to limit access to privileged users.
Despite the patch, the incident underscores the importance of proactive security measures in the development and maintenance of WordPress plugins, as vulnerabilities can have far-reaching consequences for website owners and users.
The vulnerability was first discovered on October 17 2023, prompting communication with the plugin vendor and the deployment of a vPatch rule to protect users. On October 25, the vendor released version 5.7.0.1 of the LiteSpeed Cache plugin to address the reported issues. Finally, the vulnerabilities were added to the Patchstack vulnerability database today, leading to the public release of the security advisory.
