CVE-2023-4372

The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'esi' shortcode in versions up to, and including, 5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

We have discovered 257,480 live websites that are affected by CVE-2023-4372.

Affected Software


Product	Litespeed Cache
Category	Cache Tools
Vulnerable Versions	from 0 through 5.6
Total Vulnerable Versions	113
Vulnerable Domains	257,480 live websites (29.83% of Litespeed Cache install base)

Available Reports

Website List

Details

Published - Jan 11, 2024
Updated - Jan 11, 2024

Credits

István Márton (finder)

CVE References

CWE References

cwe.mitre.org

Countries

United States	63,320 websites

GB	17,034 websites
Poland	14,627 websites
Turkey	14,067 websites
Canada	11,726 websites
Spain	10,486 websites
Cyprus	9,872 websites
Brazil	9,299 websites
India	8,603 websites
France	8,236 websites

TLDs

.com	121,731 websites
.org	11,298 websites
.pl	11,222 websites
.co.uk	9,388 websites
.com.br	8,062 websites
.net	7,892 websites
.com.au	4,896 websites
.es	3,778 websites
.ca	3,587 websites
.nl	3,286 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

References

Websites affected by CVE-2023-4372

Top websites that are affected by CVE-2023-4372. Please click on the "Contact us" link to get more information.

Domain	Country	Rank
***.*.tw	Taiwan	,**
*.*.*.tw	Taiwan	,**
*******.fm	United States	,**
**********.ro	Romania	,*
*.*******.*.br	Brazil	,*
***************.com	Australia	,*
*.***************.net	United States	,*
*.**.de	Germany	,*
*********.com	Germany	,*
******.com	United States	,*

See full domain list