CVE-2024-9169 MEDIUM

CVE-2024-9169: litespeed cache <= 6.4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Vendor Litespeedtech

Product LiteSpeed Cache

Weakness CWE-79 · XSS

Published September 25, 2024

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

5.5/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin debug settings in all versions up to, and including, 6.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Key dates

02Disclosure timeline

September 25, 2024 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-9169 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-46995 baserCMS has Cross-site Scripting Vulnerability in HTTP 400 Bad Request CVE-2025-30941 WordPress Pinterest Verify Meta Tag plugin <= 1.3 - Cross Site Scripting (XSS) Vulnerability CVE-2021-24909 ACF Photo Gallery Field < 1.7.5 - Reflected Cross-Site Scripting CVE-2026-4909 code-projects Exam Form Submission update_s7.php cross site scripting CVE-2024-5530 ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) <= 2.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via WL Product Horizontal Filter Widget