CVE-2021-24963: LiteSpeed Cache < 4.4.4 - Admin+ Reflected Cross-Site Scripting
First published: Mon Jan 03 2022(Updated: )
The LiteSpeed Cache WordPress plugin before 4.4.4 does not escape the qc_res parameter before outputting it back in the JS code of an admin page, leading to a Reflected Cross-Site Scripting
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| LiteSpeed Technologies LiteSpeed Cache | <4.4.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this LiteSpeed Cache WordPress plugin vulnerability?
The vulnerability ID for this LiteSpeed Cache WordPress plugin vulnerability is CVE-2021-24963.
What is the description of CVE-2021-24963?
CVE-2021-24963 is a vulnerability in the LiteSpeed Cache WordPress plugin before version 4.4.4 that leads to a Reflected Cross-Site Scripting (XSS) attack.
How severe is CVE-2021-24963?
CVE-2021-24963 has a severity score of 4.8, which is considered medium severity.
Which version of the LiteSpeed Cache WordPress plugin is affected by CVE-2021-24963?
The LiteSpeed Cache WordPress plugin versions up to (but not including) 4.4.4 are affected by CVE-2021-24963.
How can I fix CVE-2021-24963?
To fix CVE-2021-24963, you should update the LiteSpeed Cache WordPress plugin to version 4.4.4 or higher.
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/weakness
- agent/author
- agent/remedy
- agent/severity
- agent/description
- agent/event
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- agent/source
- vendor/litespeedtech
- canonical/litespeed technologies litespeed cache