PT-2026-43546 · WordPress · Litespeed Cache

Os

+1

·

Published

2026-05-27

·

Updated

2026-05-27

·

CVE-2026-3375

CVSS v3.1

7.2

High

VectorAV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions LiteSpeed Cache versions prior to 7.8
Description The LiteSpeed Cache plugin for WordPress contains a Stored Cross-Site Scripting issue. The REST API endpoints "/wp-json/litespeed/v1/notify ccss" and "/wp-json/litespeed/v1/notify ucss" accept CSS content from QUIC.cloud callback notifications and store it to disk without sanitization. This content is subsequently rendered inline during frontend page loads without output escaping. The IP-based validation used for access control on these endpoints can be bypassed if the site is deployed behind a CDN, load balancer, or reverse proxy with specific configurations, allowing unauthenticated attackers to inject arbitrary JavaScript into CCSS/UCSS content.
Recommendations Update to a version later than 7.7.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-3375

Affected Products

Litespeed Cache