Security Update for LSCWP

We have a security update for LiteSpeed Cache for WordPress. A few months ago, we were made aware of a vulnerability in the LiteSpeed Cache for WordPress plugin. We patched it shortly thereafter, in v7.8.

To protect your WordPress sites, please update to the latest version of the LSCache plugin immediately.

This cross-site scripting vulnerability, reported by the WordFence team, has been assigned CVE-2026-3375.

Impact

This vulnerability only affects those sites where one or both of the following settings are enabled in Page Optimization > CCS Settings:

• Generate UCSS
• Load CSS Asynchronously

Additionally, the site’s server IP must be exposed, and there must be a QUIC.cloud- or Cloudflare-related misconfiguration in the site’s WordPress code.

With all of the above in place, the vulnerability may be exploited.

Given that it requires a misconfiguration, we don’t expect this vulnerability to be frequently exploited.

Actions

We recommend that every site upgrade to the plugin version 7.8 or higher to patch this vulnerability.

Timeline

• February 27, 2026: WordFence alerted us to the issue.
• March 3, 2026: We patched the issue and released v7.8 to the WordPress repository
• March 20, 2026: We added v7.8 to the list of stable releases in our control panel plugins

Conclusion

We thank WordFence for bringing this issue to our attention. This vulnerability has been patched, so if you are keeping your LiteSpeed Cache plugin up-to-date, there is nothing you need to do. If you have not updated in a while, please do so today.