Rewterz Threat Update – About 5 Million Websites at Risk Due to WordPress LiteSpeed Cache Plugin Vulnerability

Severity

High

Analysis Summary

A security flaw has been uncovered in WordPress’s LiteSpeed Cache plugin that can allow an unauthenticated user to escalate their privileges. This vulnerability is tracked as CVE-2023-40000 and a patch was released for it in October 2023.

The affected plugin is suffering from a cross-site scripting vulnerability that could enable any unauthenticated user to steal sensitive data and escalate their privileges on the WordPress website just by sending a single HTTP request. LiteSpeed Cache is used to improve website performance and has over five million installations. Its latest version was released on February 5, 2024.

The WordPress security company, Patchstack, said that CVE-2023-40000 occurs due to a lack of user input sanitization and escaping output. The flaw is within a function called update_cdn_status() that can easily be reproduced in a default installation. This vulnerability can also be triggered by any user who has access to the wp-admin because the XSS payload is placed as an admin notice that can be displayed on any wp-admin endpoint.

The endpoint has an is_from_cloud protection that is set as the permission_callback argument, responsible for checking the permission of the user who accessed the specific endpoint. It is revealed that this function always returns true, allowing any unauthenticated user to access the endpoint.

The security flaw exists due to the code constructing an HTML value directly from the POST body parameter to the admin notice message. That’s why, sanitizing user input directly on the affected parameter should be able to fix the issue. On top of that, the vendor has also added a permission check on the update_cdn_status function using hash validation that will limit the function’s access to only privileged users.

The disclosure comes after four months of a revelation of another XSS vulnerability present in the same plugin, tracked as CVE-2023-4372 with a CVSS score of 6.4 that happens due to insufficient input sanitization and output escaping on attributes that are supplied by the user. This vulnerability was fixed in the version 5.7 update. It allows authenticated threat actors who have contributor-level or above permissions to inject arbitrary web scripts into web pages. These scripts then execute whenever a user visits an injected page.

It is recommended to apply sanitization and escaping to any message made to be displayed as an admin notice by using sanitize_text_field to sanitize the HTML output value or esc_html, depending on the context of the data. For escaping values found inside of attributes, it is possible to use the esc_attr function. Users are also urged to apply a proper authorization check or permission to the registered rest route endpoints.

Impact

• Privilege Escalation
• Sensitive Information Theft

Indicators Of Compromise

CVE

• CVE-2023-40000

Remediation

• Upgrade to the latest version of the plugin for WordPress, available from the WordPress Plugin Directory.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.