CVE-2021-24964: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-24964 affects the LiteSpeed Cache WordPress plugin versions below 4.4.4. The vulnerability was discovered by Emil Kylander and was publicly disclosed on November 30, 2021. This security issue involves an IP check bypass that could lead to unauthenticated stored Cross-Site Scripting (XSS) attacks (WPScan).

The vulnerability stems from two combined issues in the LiteSpeed Cache plugin. First, the plugin fails to properly verify requests originating from QUIC.cloud servers, allowing attackers to bypass security checks by manipulating the X-Forwarded-For header value. Second, when the 'Load CSS Asynchronously' setting is enabled in the Page Optimization settings, an endpoint can be exploited to inject CSS code that is subsequently output on pages without proper sanitization or escaping (WPScan).

When successfully exploited, this vulnerability allows an unauthenticated attacker to inject Cross-Site Scripting (XSS) payloads into pages that are visited by users. This could potentially lead to the execution of malicious JavaScript code in visitors' browsers (WPScan).

The vulnerability has been fixed in LiteSpeed Cache version 4.4.4. Website administrators running affected versions should update to version 4.4.4 or later to mitigate this security risk (WPScan).