Description
The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST API endpoints in all versions up to, and including, 7.7. These endpoints accept CSS content from QUIC.cloud callback notifications and store it to disk without sanitization. The stored content is later rendered inline frontend page loads without output escaping. The access control protecting these endpoints is IP-based validation that can potentially be bypassed when the WordPress site is deployed behind a reverse proxy, load balancer, or CDN with certain configurations. This makes it possible for unauthenticated attackers, under certain conditions, to inject arbitrary JavaScript into CCSS/UCSS content.
Published: 2026-05-27
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The LiteSpeed Cache plugin for WordPress contains a stored Cross‑Site Scripting flaw that allows an unauthenticated attacker to inject arbitrary JavaScript via the /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST API endpoints. The flaw exists because CSS content received from QUIC.cloud callback notifications is written to disk without sanitization and later rendered inline on front‑end page loads without output escaping. This results in unauthorized execution of attacker‑supplied scripts in the context of site visitors.

Affected Systems

WordPress sites running LiteSpeed Cache version 7.7 or older are affected. All installations that use the plugin and rely on the default REST API endpoints are vulnerable, regardless of other WordPress configuration changes.

Risk and Exploitability

The CVSS score is 7.2, indicating a high severity level. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting that exploitation may be limited but remains a serious threat when the endpoint can be accessed. Attackers can exploit the flaw remotely by triggering the callback endpoints, potentially bypassing IP‑based access controls when the site is positioned behind a reverse proxy, load balancer, or CDN. Successful exploitation would allow domain‑at‑large user‑side code execution.

Generated by OpenCVE AI on May 27, 2026 at 09:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LiteSpeed Cache to the latest version (7.8 or newer) where the vulnerable endpoints are removed or secured.
  • If an upgrade is not possible immediately, re‑configure your web server or reverse proxy to allow access to the /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss endpoints only from the official QUIC.cloud IP addresses and block all other IPs from reaching them.
  • As a temporary measure, disable or delete the /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST API routes in your WordPress configuration or .htaccess, preventing any external input from reaching these endpoints.

Generated by OpenCVE AI on May 27, 2026 at 09:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Litespeedtech
Litespeedtech litespeed Cache
Wordpress
Wordpress wordpress
Vendors & Products Litespeedtech
Litespeedtech litespeed Cache
Wordpress
Wordpress wordpress

Wed, 27 May 2026 08:00:00 +0000

Type Values Removed Values Added
Description The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST API endpoints in all versions up to, and including, 7.7. These endpoints accept CSS content from QUIC.cloud callback notifications and store it to disk without sanitization. The stored content is later rendered inline frontend page loads without output escaping. The access control protecting these endpoints is IP-based validation that can potentially be bypassed when the WordPress site is deployed behind a reverse proxy, load balancer, or CDN with certain configurations. This makes it possible for unauthenticated attackers, under certain conditions, to inject arbitrary JavaScript into CCSS/UCSS content.
Title LiteSpeed Cache <= 7.7 - Unauthenticated Stored Cross-Site Scripting via QUIC.cloud CCSS/UCSS REST API Endpoints
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Litespeedtech Litespeed Cache
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:28:19.176Z

Reserved: 2026-02-28T00:59:32.665Z

Link: CVE-2026-3375

cve-icon Vulnrichment

Updated: 2026-05-27T10:28:14.044Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T08:16:40.707

Modified: 2026-05-27T14:50:47.627

Link: CVE-2026-3375

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T09:30:27Z

Weaknesses