High

A critical cross-site scripting (XSS) vulnerability, tracked as CVE-2025-12450, has been identified in the widely used LiteSpeed Cache plugin for WordPress. With over 7 million active installations, the plugin plays a key role in website performance optimization, making this flaw particularly concerning due to its broad attack surface. The vulnerability has been assigned a CVSS score of (Medium), but its real-world risk is amplified by the massive number of affected websites globally.

The root cause of the issue lies in improper input sanitization and insufficient output escaping within the plugin’s URL handling functionality. This weakness allows attackers to inject malicious JavaScript into web pages by crafting specially designed URLs. When a victim clicks such a link, the injected script executes in their browser, enabling attackers to steal session cookies, capture sensitive data, or perform unauthorized actions on behalf of the user.

This vulnerability is classified as a reflected XSS attack, meaning it requires user interaction to be successfully exploited. Attackers typically distribute malicious links through phishing emails, social media platforms, or compromised websites. Although it does not persist on the server like stored XSS, it still poses a serious risk, especially for authenticated users such as administrators, who could unknowingly expose their accounts to hijacking or privilege abuse.

The vulnerability, discovered by a researcher, affects all versions of the plugin up to 7.5.0.1. A patch has been released in version 7.6, which introduces proper input validation and output encoding mechanisms. Website administrators are strongly advised to update immediately, monitor for suspicious activity, and consider deploying additional defenses such as Web Application Firewalls (WAFs) to mitigate the risk of XSS-based attacks.