Skip to main content

LiteSpeed Cache CVE-2026-3375

| EUVDEUVD-2026-32115 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-27 security@wordfence.com GHSA-hf4x-3pgg-4r9c
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 20:42 vuln.today
CVE Published
May 27, 2026 - 08:16 nvd
HIGH 7.2

DescriptionCVE.org

The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST API endpoints in all versions up to, and including, 7.7. These endpoints accept CSS content from QUIC.cloud callback notifications and store it to disk without sanitization. The stored content is later rendered inline frontend page loads without output escaping. The access control protecting these endpoints is IP-based validation that can potentially be bypassed when the WordPress site is deployed behind a reverse proxy, load balancer, or CDN with certain configurations. This makes it possible for unauthenticated attackers, under certain conditions, to inject arbitrary JavaScript into CCSS/UCSS content.

AnalysisAI

Stored cross-site scripting in the LiteSpeed Cache plugin for WordPress (all versions through 7.7) lets attackers persist arbitrary JavaScript into a site's frontend by abusing the unauthenticated /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST endpoints, which store QUIC.cloud-supplied CSS to disk and later render it inline without escaping. Exploitation is conditional: the endpoints are protected by IP-based access control that only becomes bypassable in certain reverse-proxy, load-balancer, or CDN deployments. No public exploit identified at time of analysis, and EPSS is low (0.07%, 20th percentile), consistent with CISA SSVC marking exploitation status as 'none' despite 'automatable: yes'.

Technical ContextAI

LiteSpeed Cache is a widely deployed WordPress performance plugin that offloads CSS generation (Critical CSS / CCSS and Unique CSS / UCSS) to the external QUIC.cloud service. QUIC.cloud returns generated CSS asynchronously via callback notifications hitting the plugin's REST API (rest.cls.php, router.cls.php, cloud.cls.php) and the data is handled in css.cls.php and optimize.cls.php (the trac references point at the relevant lines, e.g. css.cls.php#L401/#L595 and optimize.cls.php#L477). The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation): callback CSS is written to disk without sanitization and subsequently emitted inline into frontend page output without output escaping, so a CSS payload containing markup such as a </style> break-out and a <script> tag executes in every visitor's browser. Affected platform is the LiteSpeed Cache WordPress plugin itself rather than the LiteSpeed web server.

RemediationAI

Update the LiteSpeed Cache plugin to the version that includes the fix committed in WordPress plugin changeset 3473912 (https://plugins.trac.wordpress.org/changeset/3473912/); an upstream fix is available as that changeset, but a specific released/tagged patched version is not independently confirmed in the supplied data, so verify the fixed version against the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/40fa29f5-525a-4986-91f9-0210a7594e46?source=cve) and update to it or later. Until patched, the most effective compensating control is to ensure the IP-based access control cannot be bypassed: at the reverse proxy, load balancer, or CDN, do not blindly trust client-supplied X-Forwarded-For/Forwarded headers and restore the real client IP, and restrict or block external access to /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss so only legitimate QUIC.cloud source ranges reach them (trade-off: overly strict filtering can break QUIC.cloud CCSS/UCSS callbacks and degrade CSS optimization). If QUIC.cloud-based CCSS/UCSS generation is not required, disabling the Critical CSS and Unique CSS features removes the affected callback path entirely at the cost of that optimization. A web application firewall rule inspecting the callback body for HTML/script content (e.g. </style> or <script>) in CSS payloads can provide interim detection.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-3375 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy