cleantalk
Vulnerabilities and Security Researches

LiteSpeed Cache, CVE-2021-24964

CVE, Research URL

CVE-2021-24964

Home page URL

Security reports for LiteSpeed Cache

Application

LiteSpeed Cache

Published on
Jan 03, 2022
Research Description
The LiteSpeed Cache WordPress plugin before 4.4.4 does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value. In addition, one of the endpoint could be used to set CSS code if a setting is enabled, which will then be output in some pages without being sanitised and escaped. Combining those two issues, an unauthenticated attacker could put Cross-Site Scripting payloads in pages visited by users.
Affected versions
Min -, max 4.4.4.
Status
vulnerable
Previous vulnerability researches
LiteSpeed Cache (CVE-2024-50550) , Oct 31, 2024
LiteSpeed Cache (CVE-2024-9169) , Sep 26, 2024
LiteSpeed Cache (CVE-2020-29172) , Jun 07, 2024
LiteSpeed Cache (CVE-2021-24963) , Jun 07, 2024
LiteSpeed Cache (CVE-2021-24964) , Jun 07, 2024
New vulnerability
Lead Form Data Collection to CRM (CVE-2025-47690) , May 14, 2025
WordPress Portfolio Builder – Portfolio Gallery (CVE-2025-1757) , May 14, 2025
LiteSpeed Cache (CVE-2025-47437) , May 14, 2025
Frontend Dashboard (CVE-2025-4474) , May 14, 2025
Frontend Dashboard (CVE-2025-4473) , May 14, 2025