1. WPScan Online
  2. Latest Updates and Insights on WordPress Security
  3. WordPress Plugin Vulnerability Exposes 7 Million Sites to XSS Attack

WordPress Plugin Vulnerability Exposes 7 Million Sites to XSS Attack

29 October 2025
WordPress Plugin Vulnerability Exposes 7 Million Sites to XSS Attack

A critical cross-site scripting (XSS) vulnerability has been discovered in the popular LiteSpeed Cache plugin for WordPress, affecting millions of websites worldwide.

The vulnerability, tracked as CVE-2025-12450, poses a significant risk to site visitors and administrators alike.

The LiteSpeed Cache plugin is one of the most widely used performance optimization tools in the WordPress ecosystem, with over 7 million active installations.

The plugin helps websites load faster by caching content and optimizing server responses. However, the newly discovered flaw undermines this security by allowing attackers to inject malicious scripts into web pages.

Understanding the Vulnerability

The vulnerability stems from insufficient input sanitization and output escaping in the plugin’s URL handling. This means the plugin fails to properly clean user-supplied data before displaying it on web pages.

Attackers can exploit this weakness by crafting specially designed links and tricking users into clicking them.

When a user clicks a malicious link, arbitrary JavaScript code executes in their browser, potentially stealing sensitive information, session cookies, or performing unauthorized actions on their behalf.

The reflected XSS attack requires user interaction, making it less severe than stored XSS variants, but still dangerous. Attackers typically distribute these malicious links through email, social media, or compromised websites.

Users who click on these links while logged into their WordPress sites become vulnerable to account hijacking or data theft.

The vulnerability uncovered by Nicholas Giemsa of Trustwave affects all versions of LiteSpeed Cache up to and including version 7.5.0.1. The security team has already released a patch in version 7.6, which implements proper input sanitization and output escaping mechanisms.

PropertyDetails
CVE IDCVE-2025-12450
CVSS Score6.1 (Medium)
Vulnerability TypeImproper Neutralization of Input During Web Page Generation (Cross-site Scripting)
Affected VersionsUp to 7.5.0.1

WordPress site administrators should immediately update their plugins to version 7.6 or newer to close this security gap.

The CVSS score of 6.1 (Medium severity) reflects the vulnerability’s potential impact. While not classified as critical, the widespread use of this plugin means millions of websites could be at risk if administrators delay applying the patch.

Website administrators using the LiteSpeed Cache plugin should prioritize updating to version 7.6 immediately through the WordPress plugin dashboard.

Additionally, they should monitor their sites for suspicious activity and consider implementing Web Application Firewalls (WAF) to add an extra layer of protection against XSS attacks.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post WordPress Plugin Vulnerability Exposes 7 Million Sites to XSS Attack appeared first on Cyber Security News.



>>More