LiteSpeed Cache < 6.5.1 – Unauthenticated Stored Cross-Site Scripting | CVE 2024-47374 | Plugin Vulnerabilities

Description

The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-LSCACHE-VARY-VALUE' header in all versions up to, and including, 6.5.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires the CSS Combine and Generate UCSS settings to be enabled.

Affects Plugins

litespeed-cache

Fixed in 6.5.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/3d300517-8939-431d-b33b-e74806e5887c

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

TaiYou

Verified

No

WPVDB ID

30de1c8d-5549-468d-ac1e-15eb5556003c

Timeline

Publicly Published

2024-09-30 (about 1 year ago)

Added

2024-10-02 (about 1 year ago)

Last Updated

2024-10-02 (about 1 year ago)

Other

Published

Title

Published

2024-03-01

Title

Nextend Social Login and Register < 3.1.13 - Reflected Self-Based Cross-Site Scripting via error_description

Published

2024-12-13

Title

Eveeno < 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-05-21

Title

Opal Estate Pro <= 1.7.6 - Contributor+ Stored XSS

Published

2024-11-08

Title

SimpleGMaps <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-08-02

Title

Doctreat < 1.6.8 - Reflected Cross-Site Scripting