CVE-2026-3375
Stored Cross-Site Scripting in LiteSpeed Cache WordPress Plugin
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| litepeed | cache | to 7.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The LiteSpeed Cache plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in its REST API endpoints /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss. These endpoints accept CSS content from QUIC.cloud callback notifications and store it on disk without sanitizing the input. Later, this stored content is rendered inline on frontend page loads without escaping, allowing malicious JavaScript to execute.
The access control for these endpoints relies on IP-based validation, which can be bypassed if the WordPress site is behind a reverse proxy, load balancer, or CDN with certain configurations. This means unauthenticated attackers may inject arbitrary JavaScript into the CSS content under certain conditions.
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to inject and execute arbitrary JavaScript code on the frontend of the affected WordPress site. This can lead to theft of user credentials, session hijacking, defacement, or distribution of malware to site visitors.
Because the vulnerability allows code injection without authentication, it poses a significant security risk, especially if the site is publicly accessible and relies on the affected plugin versions.