LiteSpeed Cache Flaw (CVE-2025-12450): 7 Million WordPress Sites Exposed to XSS Attack

A security flaw has been discovered in the LiteSpeed Cache for WordPress (LSCWP) plugin, one of the most popular optimization tools in the WordPress ecosystem, with over 7 million active installations.

The vulnerability, tracked as CVE-2025-12450, is a Reflected Cross-Site Scripting (XSS) flaw that could allow unauthenticated attackers to steal sensitive user data or hijack user sessions. The vulnerability was responsibly discovered and reported by Nicholas Giemsa at Trustwave.

The LiteSpeed Cache plugin is highly valued for its all-in-one site acceleration, featuring exclusive server-level caching and a collection of optimization features like minification and image optimization. This deep integration makes any security flaw particularly concerning.

While classified as “Reflected XSS,” this vulnerability carries serious risks, especially when targeting high-privilege users like site administrators.

A successful Reflected XSS attack requires a victim to click a specially crafted malicious link. Once clicked:

The malicious script is “reflected” off the vulnerable WordPress site’s server.
The victim’s browser executes the script, believing it came from a trusted source (the site itself).
The malicious script can then access session cookies (potentially leading to account takeover), steal sensitive data, or redirect the user to a phishing page. If an administrator is the target, the script can even be used to create new, unauthorized administrative accounts or inject backdoors.

Due to the plugin’s massive install base and the ease of exploiting Reflected XSS flaws, all users of the LiteSpeed Cache for WordPress plugin must update immediately.

Affected Versions: All versions up to, and including, 7.5.0.1.
Patched Version: Users should update to version 7.6 or newer.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply