LSCWP Responsive Placeholders Patch

We have a security update for LiteSpeed Cache for WordPress. Recently we were made aware of a vulnerability in the LiteSpeed Cache for WordPress plugin. We patched this vulnerability in v7.1.

To protect your WordPress sites, please update to the latest version of the LSCache plugin immediately.

This Server Side Request Forgery vulnerability, reported by the Patchstack team, has been assigned CVE-2025-47437.

Impact

This vulnerability affects those using Responsive Placeholders, and having the following configuration:

• Media Settings > Lazy Load Images must be ON
• Media Settings > Responsive Placeholders must be ON

With both of these settings in place, the vulnerability may be exploited by a user with unfiltered_html capability and the ability to create a new post with a Custom HTML block.

NOTE: by default, only Editor, Admin, and Super Admin roles have the unfiltered_html capability, but admins may assign it to other roles on a case-by-case basis via a plugin or custom code.

Actions

We suggest that every site upgrade to the plugin version 7.1 or higher to patch this low-severity vulnerability.

Timeline

• April 10, 2025: Patchstack alerted us to the issue.
• April 24, 2025: We patched the issue and released v7.1 to the WordPress repository.
• April 30, 2025: We added v7.1 to the list of stable releases in our control panel plugins.

Conclusion

We thank Patchstack for bringing this issue to our attention. This vulnerability has been patched, so if you are keeping your LiteSpeed Cache plugin up-to-date, there is nothing you need to do. If you have not updated in a while, please do so today.