The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin debug settings in all versions up to, and including, 6.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Metrics
Affected Vendors & Products
References
History
Wed, 25 Sep 2024 14:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Wed, 25 Sep 2024 08:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin debug settings in all versions up to, and including, 6.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |
Title | litespeed cache <= 6.4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting | |
Weaknesses | CWE-79 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-09-25T08:31:05.854Z
Updated: 2024-09-25T13:21:38.198Z
Reserved: 2024-09-24T19:58:41.752Z
Link: CVE-2024-9169
Vulnrichment
Updated: 2024-09-25T13:21:34.061Z
NVD
Status : Awaiting Analysis
Published: 2024-09-25T09:15:03.380
Modified: 2024-09-26T13:32:02.803
Link: CVE-2024-9169
Redhat
No data.