CVE-2025-12450 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the LiteSpeed Cache plugin for WordPress, affecting all versions up to and including 7.5.0.1. The root cause is insufficient input sanitization and output escaping of URL parameters, which allows unauthenticated attackers to inject arbitrary JavaScript code into web pages generated by the plugin. When a victim clicks on a maliciously crafted URL, the injected script executes in their browser context, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the user. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.1, reflecting a medium severity level with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, meaning the attack can be launched remotely without privileges, requires low attack complexity, no authentication, but does require user interaction, and impacts confidentiality and integrity with a scope change. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. The reflected nature of the XSS means it is not persistent but can be leveraged in phishing campaigns or targeted attacks to compromise user sessions or deliver malicious payloads. LiteSpeed Cache is a popular caching plugin used to improve WordPress site performance, making this vulnerability relevant to a broad range of websites, including e-commerce, media, and corporate portals.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of user data and sessions. Attackers can exploit the flaw to execute malicious scripts in the context of trusted websites, potentially stealing cookies, session tokens, or other sensitive information, leading to account compromise or unauthorized actions. This can damage organizational reputation, lead to data breaches, and violate GDPR requirements concerning data protection and user privacy. The reflected XSS nature means that exploitation requires user interaction, typically via phishing or social engineering, which may limit large-scale automated exploitation but still presents a significant threat to high-profile or high-traffic sites. Organizations relying on LiteSpeed Cache for WordPress performance optimization, especially those in sectors like e-commerce, finance, media, and government, may face increased risk of targeted attacks. Additionally, the scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the vulnerable component, potentially impacting other parts of the web application or user sessions.

1. Monitor for and apply official patches or updates from LiteSpeedtech as soon as they are released to address this vulnerability. 2. In the absence of an immediate patch, implement Web Application Firewalls (WAFs) with rules specifically designed to detect and block reflected XSS payloads targeting URL parameters associated with LiteSpeed Cache. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. 4. Conduct regular security audits and penetration testing focused on input validation and output encoding in WordPress plugins and themes. 5. Educate end users and administrators about the risks of clicking on suspicious links and the importance of verifying URLs before interaction. 6. Consider temporarily disabling or replacing the LiteSpeed Cache plugin if patching is delayed and the risk is deemed unacceptable. 7. Review and harden WordPress site configurations to minimize exposure, including limiting user privileges and enforcing strong authentication mechanisms. 8. Monitor web server and application logs for unusual URL patterns or repeated attempts to exploit XSS vectors.