Security Update for LSCWP
We have a security update for LiteSpeed Cache for WordPress. Recently we were made aware of a vulnerability in the LiteSpeed Cache for WordPress plugin. We patched this vulnerability earlier this month, in v7.6.
To protect your WordPress sites, please update to the latest version of the LSCache plugin immediately.
This cross-site scripting vulnerability, reported by the Trustwave team, has been assigned CVE-2025-12450.
Impact
This vulnerability only affects those who have debug enabled:
- Debug Log must be
ONorAdmin IP Only - Enable Cache must be
ON
With both of these settings in place, the vulnerability may be exploited when a visitor accesses a link with a particular malicious string appended to the URL.
Since it’s not common to turn on debug mode and keep it on, we don’t expect this vulnerability to be frequently exploited.
Actions
We recommend that every site upgrade to the plugin version 7.6 or higher to patch this vulnerability.
Timeline
- October 14, 2025: Trustwave alerted us to the issue.
- October 15, 2025: We patched the issue and released v7.6 to the WordPress repository
- October 21, 2025: We added v7.6 to the list of stable releases in our control panel plugins
Conclusion
We thank Trustwave for bringing this issue to our attention. This vulnerability has been patched, so if you are keeping your LiteSpeed Cache plugin up-to-date, there is nothing you need to do. If you have not updated in a while, please do so today.
Comments