From thehackernews.com
A high-severity flaw impacting the LiteSpeed Cache plugin for WordPress is being actively exploited by threat actors to create rogue admin accounts on susceptible websites.
The findings come from WPScan, which said that the vulnerability (CVE-2023-40000, CVSS score: 8.3) has been leveraged to set up bogus admin users with the names wpsupp‑user and wp‑configuser.
CVE-2023-40000, which was disclosed by Patchstack in February 2024, is a stored cross-site scripting (XSS) vulnerability that could permit an unauthenticated user to elevate privileges by means of specially crafted HTTP requests.
The flaw was addressed in October 2023 in version 5.7.0.1. It’s worth noting that the latest version of the plugin is 6.2.0.1, which was released on April 25, 2024.
LiteSpeed Cache has over 5 million active installations, with statistics showing that versions other than 5.7, 6.0, 6.1, and 6.2 are still active on 16.8% of all websites.