REST API nonce causes 403 errors on cached pages (LiteSpeed Cache / any full-pag

Meow Lightbox 5.5.1 sends the X-WP-Nonce header in the fetch call to /wp-json/meow-lightbox/v1/regenerate_mwl_data (in app/lightbox.js). The nonce value comes from mwl_settings.rest_nonce, which is printed inline in the page HTML.

When a full-page cache plugin is active (LiteSpeed Cache in our case, but any page cache would trigger this), the nonce gets cached along with the HTML. WordPress nonces expire after 12-24 hours, but the cached page keeps serving the stale one. As a result, every visitor hitting a cached page sends an expired nonce, and WordPress returns:

{“code”:”rest_cookie_invalid_nonce”,”message”:”Cookie check failed”,”data”:{“status”:403}}

The JS then throws Error(“HTTP error! status: 403”) which is displayed to all visitors in a modal/popup.

Steps to reproduce:

1. Activate Meow Lightbox with any full-page caching plugin (LiteSpeed Cache, WP Super Cache, W3 Total Cache, etc.)
2. Visit a page – the page gets cached including the inline nonce
3. Wait 12-24 hours (or manually invalidate the nonce)
4. Visit the same page from a different browser – the stale nonce triggers a 403

Expected behavior:

Since the regenerate_mwl_data endpoint has permission_callback => __return_true, the nonce is not needed for authorization. The request should work without it.

Suggested fix:

Remove the X-WP-Nonce header from the fetch call in lightbox.js for the regenerate_mwl_data endpoint, since it does not require authentication. Alternatively, skip the nonce for unauthenticated users, or handle the 403 gracefully without showing an error to visitors.

• This topic was modified 1 month ago by Francesco Canovi.