CVE-2025-12450: 
WordPress vulnerability analysis and mitigation

The LiteSpeed Cache plugin for WordPress (CVE-2025-12450) is a Reflected Cross-Site Scripting (XSS) vulnerability discovered in versions up to and including 7.5.0.1. The vulnerability was discovered by Nicholas Giemsa at Trustwave and publicly disclosed on October 28, 2025. This security flaw affects over 7 million active WordPress installations (Security Online).

The vulnerability stems from insufficient input sanitization and output escaping in the LiteSpeed Cache plugin. It is classified as a Reflected Cross-Site Scripting (XSS) vulnerability with a CVSS v3.1 base score of 6.1 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The flaw is specifically related to URL handling in the plugin (NVD).

When successfully exploited, the vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on malicious links. If an administrator is targeted, the malicious script can potentially create unauthorized administrative accounts, inject backdoors, access session cookies leading to account takeover, steal sensitive data, or redirect users to phishing pages (Security Online).

Users are strongly advised to update to version 7.6 or newer of the LiteSpeed Cache plugin, which includes patches for this vulnerability. The fix involves properly escaping comments to prevent the CSS vulnerability that could occur when debug mode is enabled (GitHub Commit).