February 27, 2024 at 09:57AM
A security vulnerability in LiteSpeed Cache plugin for WordPress (CVE-2023-40000) allows unauthenticated users to elevate privileges. Patchstack researcher Rafie Muhammad mentioned potential information theft and privilege escalation. The issue was fixed in version 5.7.0.1, and the latest version is 6.1, released on February 5, 2024. This follows Wordfence’s discovery of another XSS flaw (CVE-2023-4372).
The meeting notes detail a security vulnerability in the LiteSpeed Cache plugin for WordPress, tracked as CVE-2023-40000, which could allow unauthenticated users to escalate their privileges. The vulnerability was addressed in version 5.7.0.1 in October 2023, and the latest version of the plugin, 6.1, was released on February 5, 2024. The vulnerability is attributed to a lack of user input sanitization and escaping output, rooted in a function named update_cdn_status(). Additionally, four months prior, another XSS flaw (CVE-2023-4372) in the same plugin was revealed by Wordfence, which was addressed in version 5.7. This information underscores the importance of maintaining the security of WordPress plugins to prevent potential vulnerabilities.