15 matches found
CVE-2023-40000
LiteSpeed Cache (WordPress plugin)
CVE-2024-28000
CVE-2024-28000 affects WordPress LiteSpeed Cache (LiteSpeed Cache plugin) versions from 1.9 through 6.3.0.1. The issue is an Incorrect Privilege Assignment that allows unauthenticated escalation to administrator, enabling full site control. Mitigation: update to plugin version 6.4.0+ (or a patche...
CVE-2024-47374
CVE-2024-47374 affects the WordPress LiteSpeed Cache plugin up to version 6.5.0.2. The vulnerability is a stored XSS caused by improper input neutralization during web page generation, enabling attackers to execute malicious scripts in victims’ browsers. Impact can include session hijacking or pa...
CVE-2024-44000
CVE-2024-44000 affects LiteSpeed Cache for WordPress (versions before 6.5.0.1). Public details from multiple sources describe an authentication bypass vulnerability linked to insufficient credential protection, with several connected documents highlighting that debug logging can expose admin cook...
CVE-2024-50550
The CVE-2024-50550 entry concerns the WordPress LiteSpeed Cache plugin (versions through 6.5.1) with an Incorrect Privilege Assignment vulnerability that enables privilege escalation. Reports attribute the root cause to weak hash verification in the crawler/role-simulation logic (is_role_simulati...
CVE-2024-47373
CVE-2024-47373 is a stored Cross-Site Scripting (XSS) vulnerability in LiteSpeed Cache (WordPress plugin) affecting versions up to 6.5.0.2. The issue arises from improper neutralization of input during web page generation, enabling stored XSS. Public sources (NVD, Red Hat, Patchstack, CVE lists) ...
CVE-2024-9169
CVE-2024-9169 (LiteSpeed Cache for WordPress) : A stored XSS exists in all versions up to 6.4.1 due to insufficient input sanitization and output escaping in plugin debug settings. Exploitation requires administrator-level privileges and affects multi-site installs or sites with unfiltered_html d...
CVE-2020-29172
CVE-2020-29172 is a cross-site scripting vulnerability in the WordPress LiteSpeed Cache plugin prior to 3.6.1. The issue arises because the Toolbox Admin IPs/Server IP setting does not sanitize input, enabling injection of script payloads via the IP field. Some sources (WPVulnDB/OpenVAS explainer...
CVE-2024-3246
CVE-2024-3246 affects LiteSpeed Cache for WordPress (versions
CVE-2024-47637
CVE-2024-47637 is a path-traversal vulnerability in LiteSpeed Cache for WordPress (LiteSpeed Cache plugin) affecting versions up to 6.4.1. The issue enables relative path traversal due to insufficient input validation, with CVSS 3.1 base score 8.8 (HIGH). A fix is available: update to 6.5.1. Unti...
CVE-2023-45000
CVE-2023-45000 is a Missing Authorization vulnerability affecting LiteSpeed Cache (WordPress) up to version 5.7, allowing unauthorized access via the API. The available documents confirm the issue and affected range but do not provide concrete exploitation details, affected sub-components, or a c...
CVE-2023-4372
The CVE-2023-4372 entry describes a Stored Cross‑Site Scripting (XSS) vulnerability in the WordPress LiteSpeed Cache plugin (versions ≤ 5.6). The root cause is insufficient input sanitization and output escaping on attributes of the esi shortcode, enabling authenticated attackers with contributor...
CVE-2022-46800
CVE-2022-46800 affects the WordPress LiteSpeed Cache plugin up to version 5.3. The issue is a Cross-Site Request Forgery (CSRF) vulnerability in the plugin, as described in multiple sources (NVD/Red Hat/OpenVAS overlaps). The exact root cause is not explicitly detailed in the provided documents b...
CVE-2021-24963
The CVE-2021-24963 entry concerns the WordPress LiteSpeed Cache plugin prior to 4.4.4, where the qc_res parameter is not escaped before being echoed into admin-page JavaScript, enabling a Reflected Cross-Site Scripting vulnerability. Affected software: LiteSpeed Cache WordPress plugin (versions
CVE-2021-24964
CVE-2021-24964 affects the WordPress LiteSpeed Cache plugin prior to 4.4.4. The root issues are (1) failure to verify QUIC.cloud-origin requests, enabling an IP/check bypass via X-Forwarded-For to access certain endpoints, and (2) an endpoint that can inject CSS if a setting is enabled, which can...