This WordPress plugin vulnerability has put millions of websites at risk

News
By published

A WordPress plugin was found allowing attackers to elevate privileges

WordPress
(Image credit: Pixabay)

A super popular WordPress plugin was found vulnerable to a cross-site scripting attack which could allow threat actors to steal sensitive information and escalate privileges on websites. 

Security researchers Patchstack discovered the flaw and reported it to the developers, before publishing their findings on their blog.

As per the report, the plugin in question is called LiteSpeed Cache, it’s a website optimization plugin designed to improve website performance.

Patch available

The plugin counts more than four million active installations (The Hacker News claims five million). The vulnerability, described as “site-wide stored XSS” flaw, can be exploited by performing a single HTTP request. It is now tracked as CVE-2023-40000.

“This vulnerability occurs because the code that handles input from the user doesn't implement sanitization and output escaping,” the researchers explained in the blog. “This case also combined with improper access control on one of the available REST API endpoints from the plugin.”

Since the discovery, LiteSpeed Cache’s developers released a patch. Users are advised to update their plugins to at least version - 5.7.0.1, and secure their websites from potential attackers. The patch became available in October last year. The latest version, 6.1, was released on February 5, The Hacker News reported.

WordPress is the world’s number one website builder, powering roughly half of the global internet. As such, it’s a popular target among hackers looking for easy ways into databases, where they can steal sensitive data, mount malicious advertising campaigns, phishing, and more. Still, WordPress is generally considered safe, unlike its many themes and plug-ins which are usually considered the weakest link.

Plugins, especially non-commercial ones, are often developed by small teams (or individuals), sometimes abandoned, and usually not maintained efficiently. That makes them the ideal entry point for attacks, which is why Patchstack, Wordfence, and other WordPress-oriented security firms, often report on finding and eliminating bugs in plugins and themes, and not WordPress itself.

More from TechRadar Pro

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over a million WordPress sites exposed to attack from W3 Total Cache plugin flaw
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
WordPress
Another top WordPress plugin found carrying critical security flaws
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
WordPress
WordPress users beware - these popular theme plugins have some major security issues
Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
Open AI
OpenAI live stream - could we see a major ChatGPT upgrade?
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
More about security
cybersecurity

Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak

A major Keenetic router data leak could put a million households at risk
Venezuela's forward #09 Jhonder Cadiz celebrates after scoring during the 2026 FIFA World Cup South American qualifiers football match between Ecuador and Venezuela, at the Rodrigo Paz Delgado stadium in Quito, on March 21, 2025 ahead of Venezuela vs Peru

Venezuela vs Peru live stream: how to watch FIFA World Cup 2026 qualifier anywhere online
See more latest
Most Popular
Open AI
OpenAI live stream - could we see a major ChatGPT upgrade?
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Sony WF-C710N in blue glass on beige background
Sony WF-C710 earbuds land, and I think they'll be the 2025 budget buds to beat
The RIG M2 Streamstar attached to a boom arm.
The RIG M2 Streamstar has the world's first Bluetooth audio gateway in a wired gaming microphone
Four operators survey Verdansk. One holds a sniper rifle, one binoculars, another holds is landing with their parachute, while the last wears a skull mask
New Call of Duty: Warzone trailer shows a beautiful rebuilt Verdansk, but some fans want more: 'it won't be the same unfortunately'