CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46800 – WordPress LiteSpeed Cache Plugin <= 5.3 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-46800
22 Mar 2023 — Cross-Site Request Forgery (CSRF) vulnerability in LiteSpeed Technologies LiteSpeed Cache plugin <= 5.3 versions. The LiteSpeed Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rest_api_init function in versions up to, and including, 5.3. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to activate or deactivate arbitrary crawlers. Cross-Site Request Forgery (CSRF) vulnerability in LiteSpeed... • https://patchstack.com/database/vulnerability/litespeed-cache/wordpress-litespeed-cache-plugin-5-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24963 – LiteSpeed Cache < 4.4.4 - Admin+ Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24963
30 Nov 2021 — The LiteSpeed Cache WordPress plugin before 4.4.4 does not escape the qc_res parameter before outputting it back in the JS code of an admin page, leading to a Reflected Cross-Site Scripting El plugin LiteSpeed Cache de WordPress versiones anteriores a 4.4.4, no escapa el parámetro qc_res antes de devolverlo al código JS de una página de administración, conllevando a un ataque de tipo Cross-Site Scripting Reflejado The LiteSpeed Cache plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via t... • https://plugins.trac.wordpress.org/changeset/2634373 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 14%CPEs: 1EXPL: 1CVE-2021-24964 – LiteSpeed Cache < 4.4.4 - IP Check Bypass to Unauthenticated Stored XSS
https://notcve.org/view.php?id=CVE-2021-24964
30 Nov 2021 — The LiteSpeed Cache WordPress plugin before 4.4.4 does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value. In addition, one of the endpoint could be used to set CSS code if a setting is enabled, which will then be output in some pages without being sanitised and escaped. Combining those two issues, an unauthenticated attacker could put Cross-Site Scripting payloads in pages visited by... • https://wpscan.com/vulnerability/e9966b3e-2eb9-4d70-8c18-6a829b4827cc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-29172 – LiteSpeed Cache <= 3.6 - Authenticated Stored Cross-Site Scripting via IP setting
https://notcve.org/view.php?id=CVE-2020-29172
26 Dec 2020 — A cross-site scripting (XSS) vulnerability in the LiteSpeed Cache plugin before 3.6.1 for WordPress can be exploited via the Server IP setting. Una vulnerabilidad de tipo cross-site scripting (XSS) en el plugin LiteSpeed ??Cache versiones anteriores a 3.6.1 para WordPress puede ser explotada por medio de la configuración de IP del Servidor • https://wordpress.org/plugins/litespeed-cache/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •