PT-2026-43546 · WordPress · Litespeed Cache
Os
+1
·
Published
2026-05-27
·
Updated
2026-05-27
·
CVE-2026-3375
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
LiteSpeed Cache versions prior to 7.8
Description
The LiteSpeed Cache plugin for WordPress contains a Stored Cross-Site Scripting issue. The REST API endpoints "/wp-json/litespeed/v1/notify ccss" and "/wp-json/litespeed/v1/notify ucss" accept CSS content from QUIC.cloud callback notifications and store it to disk without sanitization. This content is subsequently rendered inline during frontend page loads without output escaping. The IP-based validation used for access control on these endpoints can be bypassed if the site is deployed behind a CDN, load balancer, or reverse proxy with specific configurations, allowing unauthenticated attackers to inject arbitrary JavaScript into CCSS/UCSS content.
Recommendations
Update to a version later than 7.7.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Litespeed Cache