WordPress Plugin Vulnerabilities

LiteSpeed Cache < 3.6.1 - Authenticated Stored Cross-Site Scripting

Description

The plugin does not sanitise invalid IPs given in its Toolbox page before displaying them in an error message.

Proof of Concept

Affects Plugins

Plugin icon
litespeed-cache
Fixed in 3.6.1

References

CVE
CVE-2020-29172
URL
https://plugins.trac.wordpress.org/changeset/2443924/litespeed-cache/trunk/src/admin-display.cls.php

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.3 (low)

Miscellaneous

Original Researcher
WonTae Jang
Verified
Yes
WPVDB ID
8ef35524-d996-4285-aca2-dc62e02c074d

Timeline

Publicly Published
2020-12-26 (about 5 years ago)
Added
2020-12-26 (about 5 years ago)
Last Updated
2020-12-28 (about 5 years ago)

Other

Published
Title
Published
2021-09-06
Title
Modern Events Calendar Lite < 5.22.2 - Admin+ Stored Cross-Site Scripting
Published
2017-03-06
Title
WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds
Published
2025-01-07
Title
Author Avatars List/Block < 2.1.24 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-09-10
Title
Easy Accordion < 2.0.22 - Admin+ Stored Cross-Site Scripting
Published
2023-05-22
Title
Responsive Tabs For WPBakery Page Builder <= 1.1 - Contributor+ Stored XSS