LiteSpeed Cache
CVE-2023-40000
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through 5.7.
AnalysisAI
Stored cross-site scripting in LiteSpeed Cache for WordPress (versions up to and including 5.7) allows remote unauthenticated attackers to inject persistent malicious scripts that execute in the context of any user - including administrators - visiting affected pages. Publicly available exploit code exists and EPSS scores this at 82.03% (99th percentile), indicating very high probability of opportunistic exploitation across the millions of WordPress sites running this plugin. No CISA KEV listing at time of analysis, but the combination of high EPSS, public POC, and massive install base makes this a priority for WordPress operators.
Technical ContextAI
LiteSpeed Cache is a popular WordPress caching and site-acceleration plugin (CPE cpe:2.3:a:litespeedtech:litespeed_cache) developed by LiteSpeed Technologies, with an install footprint in the millions of WordPress sites. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the stored variant: user-controllable input is persisted by the plugin and later rendered into HTML responses without sufficient output encoding or input sanitization, so injected script payloads execute in any visitor's browser session. Because the payload is stored server-side, every subsequent page render delivers the attack - no per-victim social engineering is required after initial injection.
RemediationAI
Upgrade the LiteSpeed Cache plugin to a version later than 5.7 via the WordPress plugin updater or by downloading from wordpress.org/plugins/litespeed-cache; the affected-range upper bound in NVD data is 5.7, and Patchstack's advisory for this CVE identifies the fixed release as the next maintenance version, so any version newer than 5.7 (5.7.0.1 / 5.8 and later) should contain the sanitization fix - verify the exact patched version against the vendor changelog before deploying. If immediate patching is not possible, compensating controls include temporarily deactivating LiteSpeed Cache (accepting the performance hit and loss of caching/optimization features), restricting access to plugin-managed input fields and admin endpoints behind IP allowlists or WAF rules that block typical XSS payloads (with the trade-off of false positives on legitimate rich content), and deploying a strict Content-Security-Policy that disallows inline script (which can break themes or other plugins that rely on inline JS). Audit existing cached content and stored plugin data for previously injected payloads, since stored XSS persists across the patch.
More in Litespeed Cache
View allMissing Authorization vulnerability in LiteSpeed Technologies LiteSpeed Cache.7. Rated high severity (CVSS 8.2), this vu
A cross-site scripting (XSS) vulnerability in the LiteSpeed Cache plugin before 3.6.1 for WordPress can be exploited via
The LiteSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and includin
The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin debug settings in all v
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today