Stored Cross-Site Scripting Vulnerability in LiteSpeed Cache Plugin for WordPress

CVE-2024-9169

5.5MEDIUM

Key Information:

Vendor
LiteSpeed Cache
Vendor
CVE Published:
25 September 2024

Summary

The LiteSpeed Cache plugin for WordPress is prone to a Stored Cross-Site Scripting vulnerability stemming from inadequate input sanitization and output escaping mechanisms. This issue permits authenticated attackers with administrator-level permissions to inject arbitrary web scripts during the debug settings configuration. The injected scripts can execute whenever a user accesses a page containing the malicious payload. This vulnerability particularly impacts multi-site installations and systems where the 'unfiltered_html' capability has been disabled, making these environments especially susceptible to exploitation.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://www.litespeedtech.com/products/cache-plugins/word...

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

Collectors

NVD Database
.