WordPress Plugin Vulnerabilities
LiteSpeed Cache < 3.6.1 - Authenticated Stored Cross-Site Scripting
Description
The plugin does not sanitise invalid IPs given in its Toolbox page before displaying them in an error message.
Proof of Concept
Submit a payload such as <img src onerror=alert(/XSS/)> in the Admin IPs section of the Toolbox (/wp-admin/admin.php?page=litespeed-toolbox)
Affects Plugins
Fixed in 3.6.1 References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
WonTae Jang
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2020-12-26 (about 2 years ago)
Added
2020-12-26 (about 2 years ago)
Last Updated
2020-12-28 (about 2 years ago)
WPScan 