vulnerability
WordPress Plugin: litespeed-cache: CVE-2021-24964: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 3 | (AV:N/AC:H/Au:N/C:N/I:P/A:N) | Nov 30, 2021 | May 15, 2025 | Jul 9, 2025 |
Severity
3
CVSS
(AV:N/AC:H/Au:N/C:N/I:P/A:N)
Published
Nov 30, 2021
Added
May 15, 2025
Modified
Jul 9, 2025
Description
The LiteSpeed Cache WordPress plugin before 4.4.4 does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value. In addition, one of the endpoint could be used to set CSS code if a setting is enabled, which will then be output in some pages without being sanitised and escaped. Combining those two issues, an unauthenticated attacker could put Cross-Site Scripting payloads in pages visited by users.
Solution
litespeed-cache-plugin-cve-2021-24964
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.