cbcvebase.
CVE-2023-40000
published 2024-04-16

CVE-2023-40000: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Stored…

PriorityP180medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
54.87%
98.9th percentile
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through 5.7.

Affected

2 ranges
VendorProductVersion rangeFixed in
litespeed_technologieslitespeed_cachen/a – 5.7
litespeedtechlitespeed_cache< 5.7.0.15.7.0.1

Detection & IOCsextracted from sources · hover to see the quote

ip94.102.51.144
url/wp-json/litespeed/v1/cdn_status
path/wp-content/plugins/litespeed-cache/readme.txt
url/wp-admin/admin.php?page=litespeed-cdn
otherwpsupp-user
otherwp-configuser
commandeval(atob(Strings.fromCharCode
otherlitespeed.admin_display.messages
  • Probe for vulnerable plugin version by checking the readme.txt file for 'Stable tag' version <= 5.7.0.1
  • Exploitation targets the unauthenticated POST endpoint /wp-json/litespeed/v1/cdn_status to inject stored XSS payload via the 'result[_msg]' parameter
  • Check the WordPress database option 'litespeed.admin_display.messages' for the presence of 'eval(atob(Strings.fromCharCode' as an indicator of compromise
  • Monitor for creation of WordPress administrator accounts named 'wpsupp-user' or 'wp-configuser' as post-exploitation indicators
  • Monitor for high-volume scanning activity (>1M requests) from single IPs targeting /wp-json/litespeed/v1/cdn_status or plugin readme.txt paths
  • Injected XSS payload is stored and triggers in the WordPress admin panel at /wp-admin/admin.php?page=litespeed-cdn
  • ·Vulnerability only affects LiteSpeed Cache versions up to and including 5.7; version 5.7.0.1 and later are patched
  • ·As of reporting, up to 1,835,000 sites were still running a vulnerable release despite the patch being available
  • ·The XSS payload is stored in the database and executes in the browsers of all WordPress admin users who visit the affected admin page, not just the triggering user

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck8.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.