LSCWP Responsive Placeholders Patch
We have a security update for LiteSpeed Cache for WordPress. Recently we were made aware of a vulnerability in the LiteSpeed Cache for WordPress plugin. We patched this vulnerability in v7.1.
To protect your WordPress sites, please update to the latest version of the LSCache plugin immediately.
This Server Side Request Forgery vulnerability, reported by the Patchstack team, has been assigned CVE-2025-47437.
Impact
This vulnerability affects those using Responsive Placeholders, and having the following configuration:
- Media Settings > Lazy Load Images must be
ON
- Media Settings > Responsive Placeholders must be
ON
With both of these settings in place, the vulnerability may be exploited by a user with unfiltered_html
capability and the ability to create a new post with a Custom HTML block.
NOTE: by default, only Editor
, Admin
, and Super Admin
roles have the unfiltered_html
capability, but admins may assign it to other roles on a case-by-case basis via a plugin or custom code.
Actions
We suggest that every site upgrade to the plugin version 7.1 or higher to patch this low-severity vulnerability.
Timeline
- April 10, 2025: Patchstack alerted us to the issue.
- April 24, 2025: We patched the issue and released v7.1 to the WordPress repository.
- April 30, 2025: We added v7.1 to the list of stable releases in our control panel plugins.
Conclusion
We thank Patchstack for bringing this issue to our attention. This vulnerability has been patched, so if you are keeping your LiteSpeed Cache plugin up-to-date, there is nothing you need to do. If you have not updated in a while, please do so today.
Comments