CVE-2021-24964 - Vulnerability Details - OpenCVE

The LiteSpeed Cache WordPress plugin before 4.4.4 does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value. In addition, one of the endpoint could be used to set CSS code if a setting is enabled, which will then be output in some pages without being sanitised and escaped. Combining those two issues, an unauthenticated attacker could put Cross-Site Scripting payloads in pages visited by users.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Litespeedtech	Litespeed Cache

Configuration 1 [-]

cpe:2.3:a:litespeedtech:litespeed_cache:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://wpscan.com/vulnerability/e9966b3e-2eb9-4d70-8c18-6a829b4827cc

History

Thu, 22 May 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2022-01-03T12:49:08.000Z

Updated: 2025-05-22T18:39:45.298Z

Reserved: 2021-01-14T00:00:00.000Z

Link: CVE-2021-24964

Vulnrichment

Updated: 2024-08-03T19:49:14.371Z

NVD

Status : Modified

Published: 2022-01-03T13:15:08.517

Modified: 2025-05-22T19:15:24.130

Link: CVE-2021-24964

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "LiteSpeed Cache", "vendor": "Unknown", "versions": [{"lessThan": "4.4.4", "status": "affected", "version": "4.4.4", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Emil Kylander"}], "descriptions": [{"lang": "en", "value": "The LiteSpeed Cache WordPress plugin before 4.4.4 does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value. In addition, one of the endpoint could be used to set CSS code if a setting is enabled, which will then be output in some pages without being sanitised and escaped. Combining those two issues, an unauthenticated attacker could put Cross-Site Scripting payloads in pages visited by users."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-01-03T12:49:08.000Z", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wpscan.com/vulnerability/e9966b3e-2eb9-4d70-8c18-6a829b4827cc"}], "source": {"discovery": "EXTERNAL"}, "title": "LiteSpeed Cache < 4.4.4 - IP Check Bypass to Unauthenticated Stored XSS", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2021-24964", "STATE": "PUBLIC", "TITLE": "LiteSpeed Cache < 4.4.4 - IP Check Bypass to Unauthenticated Stored XSS"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "LiteSpeed Cache", "version": {"version_data": [{"version_affected": "<", "version_name": "4.4.4", "version_value": "4.4.4"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "Emil Kylander"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The LiteSpeed Cache WordPress plugin before 4.4.4 does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value. In addition, one of the endpoint could be used to set CSS code if a setting is enabled, which will then be output in some pages without being sanitised and escaped. Combining those two issues, an unauthenticated attacker could put Cross-Site Scripting payloads in pages visited by users."}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/e9966b3e-2eb9-4d70-8c18-6a829b4827cc", "refsource": "MISC", "url": "https://wpscan.com/vulnerability/e9966b3e-2eb9-4d70-8c18-6a829b4827cc"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:49:14.371Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpscan.com/vulnerability/e9966b3e-2eb9-4d70-8c18-6a829b4827cc"}]}, {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-05-22T15:21:22.171177Z", "id": "CVE-2021-24964", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-22T18:39:45.298Z"}}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2021-24964", "datePublished": "2022-01-03T12:49:08.000Z", "dateReserved": "2021-01-14T00:00:00.000Z", "dateUpdated": "2025-05-22T18:39:45.298Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://wpscan.com/vulnerability/e9966b3e-2eb9-4d70-8c18-6a829b4827cc", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:49:14.371Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2021-24964", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-22T15:21:22.171177Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-22T15:22:37.068Z"}}], "cna": {"title": "LiteSpeed Cache < 4.4.4 - IP Check Bypass to Unauthenticated Stored XSS", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "Emil Kylander"}], "affected": [{"vendor": "Unknown", "product": "LiteSpeed Cache", "versions": [{"status": "affected", "version": "4.4.4", "lessThan": "4.4.4", "versionType": "custom"}]}], "references": [{"url": "https://wpscan.com/vulnerability/e9966b3e-2eb9-4d70-8c18-6a829b4827cc", "tags": ["x_refsource_MISC"]}], "x_generator": "WPScan CVE Generator", "descriptions": [{"lang": "en", "value": "The LiteSpeed Cache WordPress plugin before 4.4.4 does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value. In addition, one of the endpoint could be used to set CSS code if a setting is enabled, which will then be output in some pages without being sanitised and escaped. Combining those two issues, an unauthenticated attacker could put Cross-Site Scripting payloads in pages visited by users."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2022-01-03T12:49:08.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Emil Kylander"}], "source": {"discovery": "EXTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "4.4.4", "version_value": "4.4.4", "version_affected": "<"}]}, "product_name": "LiteSpeed Cache"}]}, "vendor_name": "Unknown"}]}}, "data_type": "CVE", "generator": "WPScan CVE Generator", "references": {"reference_data": [{"url": "https://wpscan.com/vulnerability/e9966b3e-2eb9-4d70-8c18-6a829b4827cc", "name": "https://wpscan.com/vulnerability/e9966b3e-2eb9-4d70-8c18-6a829b4827cc", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "The LiteSpeed Cache WordPress plugin before 4.4.4 does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value. In addition, one of the endpoint could be used to set CSS code if a setting is enabled, which will then be output in some pages without being sanitised and escaped. Combining those two issues, an unauthenticated attacker could put Cross-Site Scripting payloads in pages visited by users."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-24964", "STATE": "PUBLIC", "TITLE": "LiteSpeed Cache < 4.4.4 - IP Check Bypass to Unauthenticated Stored XSS", "ASSIGNER": "contact@wpscan.com"}}}}, "cveMetadata": {"cveId": "CVE-2021-24964", "state": "PUBLISHED", "dateUpdated": "2025-05-22T18:39:45.298Z", "dateReserved": "2021-01-14T00:00:00.000Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2022-01-03T12:49:08.000Z", "assignerShortName": "WPScan"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:litespeedtech:litespeed_cache:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "EF6F5FCC-681B-4B55-A96E-4E4B1141828F", "versionEndExcluding": "4.4.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The LiteSpeed Cache WordPress plugin before 4.4.4 does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value. In addition, one of the endpoint could be used to set CSS code if a setting is enabled, which will then be output in some pages without being sanitised and escaped. Combining those two issues, an unauthenticated attacker could put Cross-Site Scripting payloads in pages visited by users."}, {"lang": "es", "value": "El plugin LiteSpeed Cache de WordPress versiones anteriores a 4.4.4, no verifica correctamente que las peticiones proceden de servidores QUIC.cloud, permitiendo a atacantes realizar peticiones a determinados endpoints usando un valor de encabezado X-Forwarded-For espec\u00edfico. Adem\u00e1s, uno de los endpoints podr\u00eda ser usado para establecer c\u00f3digo CSS si es habilitado un ajuste, que luego ser\u00e1 emitido en algunas p\u00e1ginas sin ser saneado y escapado. Combinando estos dos problemas, un atacante no autenticado podr\u00eda poner cargas \u00fatiles de tipo Cross-Site Scripting en las p\u00e1ginas visitadas por los usuarios"}], "id": "CVE-2021-24964", "lastModified": "2025-05-22T19:15:24.130", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.6, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-01-03T13:15:08.517", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/e9966b3e-2eb9-4d70-8c18-6a829b4827cc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/e9966b3e-2eb9-4d70-8c18-6a829b4827cc"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "contact@wpscan.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}