We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

LiteSpeed Cache Plugin Vulnerability (CVE-2026-3375)

Nick Paliughi
On this page

Security Alert Summary

The LiteSpeed Cache plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in its REST API endpoints that accept CSS content from QUIC.cloud callbacks. Under certain deployment configurations, unauthenticated attackers may be able to inject JavaScript into stored CCSS/UCSS content that is later rendered inline on frontend page loads.

CVE Details

  • CVE ID: CVE-2026-3375
  • Affected component: LiteSpeed Cache plugin for WordPress
  • Affected versions: All versions up to, and including, 7.7
  • Published: May 27, 2026 08:16:40 AM UTC
  • Last modified: May 27, 2026 02:50:47 PM UTC
  • CVSS v3.1: Base score 7.2 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
  • Authentication / privileges / user interaction: No privileges required (PR:N), no user interaction (UI:N). Access is over the network (AV:N) with low attack complexity (AC:L).
  • Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
  • Weakness: CWE-79 (Cross-site Scripting)

Technical Details

The vulnerability is a stored cross-site scripting issue affecting the REST API endpoints /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss. These endpoints accept CSS content from QUIC.cloud callback notifications and store that content to disk without sanitization. The stored content is later rendered inline during frontend page loads without appropriate output escaping, allowing JavaScript to execute in users’ browsers.

The plugin relies on IP-based validation to restrict access to these endpoints. That IP-based access control can potentially be bypassed when a WordPress site is deployed behind a reverse proxy, load balancer, or CDN with certain configurations, which may allow unauthenticated requests to reach the endpoints and result in stored XSS in CCSS/UCSS content.

How This Could Impact Your Website

Consider a mid-sized site where the site owner coordinates with internal staff and an external front-end contractor. If an attacker is able to inject JavaScript into stored CCSS/UCSS content, that script can run in the browsers of site visitors, logged-in editors, or administrators when they load pages that include the affected CSS. Practical consequences include exposure of session tokens or other data accessible to client-side scripts, and increased risk of targeted phishing or social engineering leveraging visible or harvested information such as email addresses.

This vulnerability does not by itself imply full site takeover, but it does increase the risk to users and logged-in staff by enabling client-side script execution where it should not be possible. If you\’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributor-level accounts and other accounts with write access.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins and audit any third-party integrations that accept external callbacks.
  • Monitor site activity and logs for unusual behavior that could indicate attempts to exploit stored content delivery.

If you\’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
Formidable Kinetic Plugin Vulnerability (CVE-2026-8871)
Next Post
WPBakery Page Builder Addons by Livemesh Plugin Vulnerability (CVE-2026-2030)