CVE-2024-9169
litespeed cache <= 6.4.1 - Authenticated (Administrator+) Stored Cross-Site ScriptingThe LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin debug settings in all versions up to, and including, 6.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
We have discovered 216,116 live websites that are affected by CVE-2024-9169.
Affected Software
| Product |  Litespeed Cache |
| Category | Cache Tools |
| Vulnerable Domains | 216,116 live websites (23.55% of Litespeed Cache install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 148 versions ( 94.87% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Sep 25, 2024
- Updated - Sep 25, 2024
Credits
- Islam Rafei (finder)
CWE
CVE References
CWE References
CVE-2024-9169 usage by Country
 United States | 72,316 websites |
 Poland | 14,433 websites |
 GB | 13,268 websites |
 Germany | 11,194 websites |
 France | 10,616 websites |
 Turkey | 9,360 websites |
 Canada | 8,814 websites |
 Spain | 7,075 websites |
 Romania | 6,002 websites |
 Vietnam | 5,530 websites |
CVE-2024-9169 usage by TLD
| .com | 97,873 websites |
| .pl | 11,292 websites |
| .org | 9,033 websites |
| .net | 6,500 websites |
| .co.uk | 6,366 websites |
| .com.br | 6,242 websites |
| .com.au | 4,160 websites |
| .es | 3,299 websites |
| .ca | 3,219 websites |
| .nl | 2,851 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-9169
Top websites that are affected by CVE-2024-9169. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *******.fm | United States | *,*** | |
| ***********.com |  Austria | *,*** | |
| ***************************.***.mx | United States | *,*** | |
| *********.com | France | *,*** | |
| *********.***********.eu | Germany | **,*** | |
| ***********.net | United States | **,*** | |
| *******.net | United States | **,*** | |
| *******.net | United States | **,*** | |
| *******.com | United States | **,*** | |
| *****.co | United States | **,*** |
FAQ
CVE-2024-9169 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Litespeed Cache
A total of 216,116 websites have been identified as vulnerable to CVE-2024-9169, discovered through global website indexing conducted by WebTechSurvey.
Litespeed Cache is susceptible to CVE-2024-9169 vulnerability.
Litespeed Cache versions before, and including, 6.4.1 are vulnerable to CVE-2024-9169.