WordPress LiteSpeed Cache Plugin with vulnerability CVE-2023-40000

[German]Quick note for WordPress users who use the LiteSpeed Cache plugin. The plugin should be updated urgently, as a vulnerability CVE-2023-40000 can lead to an unauthoriszd takeover of the website. An update for the quite popular plugin is available.


Advertising

I gulped when I read the following tweet with the warning – because I had been using the LiteSpeed Cache plugin here on the blog for a long time. I dropped that plugin in January 2024, after my hoster updated PHP and the plugin slowed down the database accesses and my blog became unuseable.

WordPress LiteSpeed Cache Plugin CVE-2023-40000

The Hacker News has covered the issue it in this article: The vulnerability CVE-2023-40000 was fixed in October 2023 in version 5.7.0.1. It was discovered by patchstack researcher Rafie Muhammad, who describes the problem as follows: "This plugin suffers from an unauthenticated, site-wide, stored [cross-site scripting] vulnerability and could allow any unauthenticated user to steal sensitive information and, in this case, gain privilege escalation on the WordPress site by executing a single HTTP request."

LiteSpeed Cache has more than 5 million users and is quite popular. The current version is 6.1, which was released on 5 February 2024. When I read this, I was a little more reassured, as I had installed version 5.7.0.1 in October 2023. On the one hand, it helps that WordPress notifies you when plugin updates are available. On the other hand, the WordFence plugin monitors whether component updates are pending and notifies me.


Advertising

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).