PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-3375 litespeedtech CVE debrief

CVE-2026-3375 is a stored cross-site scripting (XSS) vulnerability in the LiteSpeed Cache plugin for WordPress, affecting versions up to and including 7.7. The vulnerability exists in two REST API endpoints—/wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss—which accept CSS content from QUIC.cloud callback notifications and store it to disk without sanitization. The stored content is subsequently rendered inline during frontend page loads without output escaping. The endpoints rely on IP-based access control that can be bypassed when the WordPress site operates behind a reverse proxy, load balancer, or CDN with certain configurations, potentially allowing unauthenticated attackers to inject arbitrary JavaScript into CCSS/UCSS content under specific conditions. The vulnerability was published on May 27, 2026, and is classified as HIGH severity with a CVSS score of 7.2. The underlying weakness is CWE-79 (Improper Neutralization of Input During Web Page Generation). Source code references indicate the affected functionality spans multiple plugin components including cloud notification handling, CSS processing, optimization, REST API routing, and IP validation logic. A changeset (3473912) is available that appears to address this vulnerability.

Vendor
litespeedtech
Product
LiteSpeed Cache
CVSS
HIGH 7.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

WordPress site administrators using LiteSpeed Cache plugin versions ≤7.7; security teams managing WordPress deployments behind CDNs, reverse proxies, or load balancers; hosting providers offering LiteSpeed Web Server with integrated WordPress caching; QUIC.cloud service users with CCSS/UCSS features enabled

Technical summary

The LiteSpeed Cache plugin implements Critical CSS (CCSS) and Unique CSS (UCSS) generation through QUIC.cloud integration. The plugin exposes REST API endpoints that receive callback notifications from QUIC.cloud containing generated CSS content. The vulnerability chain comprises: (1) IP-based access control in router.cls.php that validates request origin against QUIC.cloud IP ranges, which may be circumvented when X-Forwarded-For or similar headers are trusted inappropriately behind proxies; (2) unsanitized storage of callback payload content to disk in cloud.cls.php; (3) retrieval and inline rendering of stored CSS without output escaping in css.cls.php and optimize.cls.php during frontend page generation. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) reflects network accessibility, low attack complexity, no authentication requirements, scope change to the vulnerable component, and limited confidentiality/integrity impact with no availability impact.

Defensive priority

HIGH

Recommended defensive actions

  • Update LiteSpeed Cache plugin to version 7.7.0.1 or later once available, monitoring the plugin changelog for security release confirmation
  • Review WordPress site infrastructure to determine if reverse proxy, load balancer, or CDN configuration may affect IP-based access control validation
  • Implement Web Application Firewall (WAF) rules to restrict access to /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss endpoints to known QUIC.cloud IP ranges
  • Audit existing CCSS and UCSS cached content for unexpected JavaScript payloads, purging cache if compromise is suspected
  • Consider implementing Content Security Policy (CSP) headers to mitigate impact of any successful XSS injection
  • Review server access logs for unexpected requests to the affected REST API endpoints from non-QUIC.cloud IP addresses

Evidence notes

Vulnerability description and technical details sourced from NVD record with Wordfence security advisory attribution. Source code locations identified via WordPress.org plugin repository browser links. CVSS vector confirms network attack vector with low attack complexity, no privileges required, no user interaction, and scope change indicating impact beyond vulnerable component. Changeset 3473912 referenced as remediation commit.

Official resources

2026-05-27