ANALYSIS · 305d0d9e· FINISHED 2026-06-13 · PATCHDIFF

litespeed-cache6.2.0.1 → 6.3✓ COMPLETED

Files60

Vulnerable15

True positives0

CVE matched2

1 CVE article ready PatchLeaks generated full security writeups for the matched CVEs · one per CVE, with affected files linked

CVE-2024-3246

FILTERS 0

SEARCH

STATUS

JUDGE

CVE MATCH

EXTENSION

CWE

OPTIONS

Hide “No vulnerability” Hide unjudged

SCOPE

All 60 CVE 2 Vuln 15

SORT

2 files · page 1/1

src/cdn-setup.cls.php

AI: 1 vulnerabilities

CWE-352: Cross-Site Request Forgery (CSRF)CWE-20: Improper Input Validation CVE-2024-3246

#%!d(float64=012)

src/cloud.cls.php

AI: 3 vulnerabilities

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')CWE-20: Improper Input ValidationCWE-1025: Comparison Using Wrong Factors CVE-2024-3246

#%!d(float64=016)

1–2 of 2

⌖

Select a file from the list to inspect its diff and AI analysis.

↑ ↓ to navigate

CVES 1

CVE-2024-3246

Security writeup for CVE-2024-3246

✓ 2 FILES

## The Exploit

An unauthenticated attacker can forge a request that redirects a logged-in WordPress admin to a malicious external site while injecting a weaponized token parameter. The attacker needs no prior access — only the ability to trick an admin into clicking a link.

```http
GET /wp-admin/admin.php?page=litespeed-cdn&token=<MALICIOUS_PAYLOAD>&nonce=ATTACKER_FORGED HTTP/1.1
Host: target-wordpress.local
```

When an admin clicks this link while logged in, the vulnerable plugin code in `cdn-setup.cls.php` processes the `token` parameter directly from `$_GET` without validating a WordPress nonce. The attacker observes a redirect to the LiteSpeed Cloud dashboard with their malicious token embedded in the query string. On the Cloud backend, if the token validation is insufficient, the attacker can inject arbitrary JavaScript or modify site configuration settings tied to that token.

**Why this still matters at admin:** Admins are routinely compromised through phishing, session theft via malware, or social engineering. A multi-tenant WordPress hosting environment where a restricted "CDN Manager" role exists is particularly vulnerable — that lower-privileged account could be compromised and used to inject tokens that affect the entire site's cache configuration.

---

## What the Patch Did

**Before:**

```php
$data = array(
    'site_url' => home_url(),
    'ref' => get_admin_url(null, 'admin.php?page=litespeed-cdn'),
);
$api_key = $this->conf(self::O_API_KEY);
if ($api_key) {
    $data['domain_hash'] = md5(substr($api_key, 0, 8));
}

wp_redirect(Cloud::CLOUD_SERVER_DASH . '/u/wptoken?data=' . Utility::arr2str($data));
exit();
```

**After:**

```php
$data = array(
    'site_url' => home_url(),
    'ref' => get_admin_url(null, 'admin.php?page=litespeed-cdn'),
    'nonce' => wp_create_nonce('litespeed_qc_link'),
);
$api_key = $this->conf(self::O_API_KEY);
if ($api_key) {
    $data['domain_hash'] = md5(substr($api_key, 0, 8));
}
self::debug2('qc link created', $data);
wp_redirect(Cloud::CLOUD_SERVER_DASH . '/u/wptoken?data=' . Utility::arr2str($data));
exit();
```

The patch adds `wp_create_nonce('litespeed_qc_link')` to the redirect payload. On the receiving end in `cloud.cls.php`, the patch introduces `wp_verify_nonce($_GET['nonce'], 'litespeed_qc_link')` to cryptographically validate that the nonce matches the admin's session. Without a valid nonce, the request is rejected with an error message. Additionally, the token parameter is sanitized using `preg_replace('/[^0-9a-zA-Z]/', '')` to whitelist only alphanumeric characters, blocking injection attacks.

---

## Root Cause

**CWE-352: Cross-Site Request Forgery (CSRF)** combined with **CWE-20: Improper Input Validation**.

The dataflow is straightforward: an attacker crafts a GET request with a forged `token` parameter. This parameter enters via `$_GET['token']` in `cloud.cls.php` at line ~1440. The vulnerable code reads it directly into `$_GET['token']` without validating a nonce or checking that the request originated from the WordPress admin. The `token` value is then passed to the Cloud dashboard without cryptographic proof that a legitimate admin authorized the request. The trust boundary crossed is the request origin — the code assumes any request carrying the `token` parameter must have been issued by the admin, when in reality an attacker can forge that request via a crafted link or form submission.

---

## Why It Works

The load-bearing line is `wp_verify_nonce($_GET['nonce'], 'litespeed_qc_link')`. Remove it, and an attacker can forge a valid request with any `token` they choose — the CSRF vulnerability persists.

The engineer added `wp_create_nonce()` on the redirect source (cdn-setup.cls.php) to generate a cryptographically unique, time-bound token bound to the admin's session. This nonce is then included in the Cloud redirect URL. When the request returns from the Cloud backend, `wp_verify_nonce()` verifies that the nonce matches the current admin session and was created within the valid time window (WordPress nonces are valid for 24 hours by default, or 12 hours for administrative actions). The additional `preg_replace()` sanitization is defense-in-depth — it prevents an attacker from embedding special characters or injection payloads in the token field even if the nonce check were somehow bypassed.

---

## Hardening Checklist

- **Implement `wp_verify_nonce()` for all sensitive state-changing operations** that accept GET/POST parameters. Generate nonces using `wp_create_nonce()` with a unique action string (e.g., `'litespeed_qc_link'`), include them in the form or redirect, and verify them on the handler side.

- **Whitelist and validate all external redirect targets** using `wp_safe_remote_request()` or a whitelist of allowed external domains. Do not redirect to user-controlled URLs without validation.

- **Sanitize all user input with context-aware filters**: use `preg_replace('/[^0-9a-zA-Z]/', '')` for tokens, `sanitize_key()` for object keys, and `esc_url()` for URLs before output.

- **Audit redirect chains and cross-domain requests** in POST-request handlers. If your plugin redirects to an external service, ensure both the outbound link and any return callback include CSRF tokens.

- **Use WordPress capability checks** (`current_user_can('manage_options')`) before processing sensitive parameters, even if a nonce is present. This prevents exploitation via compromised low-privilege admin accounts.

---

## References

- https://nvd.nist.gov/vuln/detail/CVE-2024-3246

CVE CVE-2024-3246

PRODUCT litespeed-cache

AFFECTED ≤ 6.2.0.1

FIXED IN 6.3

STATUS Generated

Security writeup · CVE-2024-3246

Source files · 2

src/cdn-setup.cls.php Linked

src/cloud.cls.php Linked

↗ NVD