CVE-2023-4372 in LiteSpeed Cache Plugin
Summary
by MITRE • 01/11/2024
The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'esi' shortcode in versions up to, and including, 5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/11/2026
The LiteSpeed Cache plugin for WordPress contains a critical stored cross-site scripting vulnerability identified as CVE-2023-4372 that affects versions up to and including 5.6. This vulnerability resides within the plugin's handling of the 'esi' shortcode functionality, where insufficient input sanitization and output escaping mechanisms fail to properly validate user-supplied attributes. The flaw represents a significant security weakness that allows authenticated attackers with contributor-level privileges or higher to execute malicious scripts within the context of affected WordPress installations. The vulnerability operates as a stored XSS attack because the malicious scripts are permanently stored within the application's database or configuration files, making them persistent across user sessions and potentially affecting multiple users who access pages containing the injected content.
The technical exploitation of this vulnerability occurs through the improper handling of user input within the esi shortcode implementation. When administrators or users with contributor-level permissions create or modify content that includes the esi shortcode with malicious attributes, the plugin fails to adequately sanitize these inputs before storing them. The absence of proper output escaping means that when these stored attributes are later rendered in web pages, the malicious JavaScript code executes in the context of other users' browsers. This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and represents a direct violation of secure coding practices for input validation and output encoding. The attack vector specifically targets the plugin's shortcode processing mechanism, where user-supplied parameters are not properly filtered or escaped before being incorporated into dynamic web content.
The operational impact of this vulnerability extends beyond simple script execution as it enables attackers to perform various malicious activities within the compromised WordPress environment. Authorized users with contributor-level permissions can leverage this flaw to inject persistent scripts that may steal cookies, session tokens, or other sensitive information from users who view affected pages. The vulnerability's persistence means that once exploited, the malicious code continues to execute until manually removed from the system, potentially allowing for extended periods of unauthorized access or data exfiltration. This stored nature of the attack makes it particularly dangerous as it can affect multiple users without requiring repeated exploitation attempts, and the malicious scripts can be designed to perform actions such as redirecting users to malicious sites, defacing content, or establishing backdoors within the WordPress installation.
Organizations affected by this vulnerability should immediately implement mitigations including updating to the latest version of the LiteSpeed Cache plugin where the XSS vulnerability has been addressed through proper input sanitization and output escaping mechanisms. The remediation process should involve verifying that all user-supplied attributes within the esi shortcode are properly validated and escaped before storage and rendering. Security teams should also implement additional monitoring for suspicious shortcode usage patterns and consider implementing web application firewalls to detect and block malicious input attempts. This vulnerability demonstrates the critical importance of proper input validation and output escaping in web applications, aligning with ATT&CK technique T1059.007 for scripting and T1566 for credential access through social engineering attacks that could exploit such vulnerabilities. Organizations should also conduct thorough security reviews of all plugins and themes to identify similar input validation gaps that could enable similar attack vectors.