LiteSpeed Cache Stored Cross-Site Scripting Vulnerability via QUIC.cloud REST API Endpoints

A stored cross-site scripting vulnerability has been identified in the LiteSpeed Cache plugin for WordPress, affecting all versions through 7.7. The vulnerability arises in the '/wp-json/litespeed/v1/notify_ccss' and '/wp-json/litespeed/v1/notify_ucss' REST API endpoints, which accept CSS content from QUIC.cloud callback notifications. This content is stored on disk without proper sanitization and later rendered inline on the frontend without escaping. The vulnerability can be exploited by unauthenticated attackers, particularly when the WordPress site is behind a reverse proxy, load balancer, or CDN that allows bypassing the IP-based access control for these endpoints.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, send a POST request to the '/wp-json/litespeed/v1/notify_ccss' or '/wp-json/litespeed/v1/notify_ucss' endpoints with crafted CSS content that includes JavaScript payloads. Ensure that the WordPress site is behind a reverse proxy or CDN that does not properly validate IP addresses, allowing the request to bypass the default access controls.

Remediation

Users are advised to update the LiteSpeed Cache plugin to version 7.8 or later.