{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/litespeed/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-3375"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["LiteSpeed Cache plugin for WordPress"],"_cs_severities":["medium"],"_cs_tags":["cve","xss","wordpress","litespeed","plugin"],"_cs_type":"advisory","_cs_vendors":["LiteSpeed"],"content_html":"\u003cp\u003eThe LiteSpeed Cache plugin for WordPress, a popular performance optimization tool, contains a stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-3375) in versions up to and including 7.7. The vulnerability exists within the /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST API endpoints. These endpoints are designed to receive CSS content from QUIC.cloud callback notifications. However, the plugin fails to properly sanitize this content before storing it to disk. Consequently, when the stored CSS is rendered inline during frontend page loads, it is not output-escaped, creating an opportunity for malicious code injection. This IP-based access control that protects these endpoints can be bypassed when the WordPress site is deployed behind a reverse proxy, load balancer, or CDN with certain configurations. Exploitation could lead to arbitrary JavaScript execution within the context of a user\u0026rsquo;s browser.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using a vulnerable version of the LiteSpeed Cache plugin (\u0026lt;= 7.7) behind a reverse proxy.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing JavaScript code embedded within CSS syntax.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses the IP-based access control, possibly by spoofing or manipulating headers related to the reverse proxy.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to either the /wp-json/litespeed/v1/notify_ccss or /wp-json/litespeed/v1/notify_ucss endpoint with the malicious CSS payload.\u003c/li\u003e\n\u003cli\u003eThe vulnerable endpoint stores the unsanitized CSS content to disk.\u003c/li\u003e\n\u003cli\u003eA user visits a page on the compromised WordPress site.\u003c/li\u003e\n\u003cli\u003eThe stored CSS, including the injected JavaScript, is rendered inline within the page\u0026rsquo;s HTML.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser executes the attacker-controlled JavaScript, leading to XSS.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability (CVE-2026-3375) can lead to a range of detrimental outcomes. An attacker could inject malicious scripts that steal user session cookies, redirect users to phishing sites, deface the website, or perform other unauthorized actions on behalf of the user. The vulnerability affects all sites using the LiteSpeed Cache plugin for WordPress with versions up to and including 7.7 and is deployed behind a reverse proxy, load balancer, or CDN.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the LiteSpeed Cache plugin for WordPress to a version greater than 7.7 to patch CVE-2026-3375.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation and output encoding mechanisms for the /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST API endpoints.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect potential exploitation attempts by monitoring POST requests to the vulnerable endpoints (see rule: \u0026ldquo;Detect CVE-2026-3375 Exploitation via LiteSpeed Cache REST API\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eReview the reverse proxy, load balancer, or CDN configuration to ensure proper IP-based access control and prevent header spoofing.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to the /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T08:18:22Z","date_published":"2026-05-27T08:18:22Z","id":"https://feed.craftedsignal.io/briefs/2026-05-litespeed-cache-xss/","summary":"The LiteSpeed Cache plugin for WordPress is vulnerable to stored Cross-Site Scripting (XSS) via the /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST API endpoints, affecting versions up to 7.7, allowing unauthenticated attackers to inject arbitrary JavaScript into CCSS/UCSS content by bypassing IP-based access controls.","title":"LiteSpeed Cache Plugin Stored XSS Vulnerability (CVE-2026-3375)","url":"https://feed.craftedsignal.io/briefs/2026-05-litespeed-cache-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — LiteSpeed","version":"https://jsonfeed.org/version/1.1"}