CVE-2021-24964

Name of the Vulnerable Software and Affected Versions LiteSpeed Cache WordPress plugin versions prior to 4.4.4

Description The issue arises from the plugin not properly verifying requests from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value. Additionally, an endpoint can be used to set CSS code if a setting is enabled, which will then be output in some pages without being sanitized and escaped. This can be exploited by an unauthenticated attacker to put Cross-Site Scripting payloads in pages visited by users.

Recommendations For versions prior to 4.4.4, update to version 4.4.4 or later to resolve the issue. As a temporary workaround, consider disabling the setting that enables CSS code injection until a patch is available. Restrict access to the vulnerable endpoints to minimize the risk of exploitation. Avoid using the X-Forwarded-For header value in the affected API endpoints until the issue is resolved.