PLUGIN SECURITY
Is LiteSpeed Cache safe?
Known vulnerabilities, PHP compatibility and safer alternatives for the LiteSpeed Cache WordPress plugin — checked against WP Clinic's local security database.
Plugin details
- Slug:
litespeed-cache - Requires PHP: 7.2+
- Max supported PHP (analyzed): 8.4
Known vulnerabilities
- LiteSpeed Cache [litespeed-cache] < 4.4.4 [CVE-2021-24963, WordPress LiteSpeed Cache plugin <= 4.4.3 - Reflected Cross-Site Scripting (XSS) vulnerability, LiteSpeed Cache <= 4.4.3 - Reflected Cross-Site Scripting via qc_res, LiteSpeed Cache < 4.4.4 - Admin+ Reflected Cross-Site Scripting]
- LiteSpeed Cache [litespeed-cache] < 4.4.4 [CVE-2021-24964, WordPress LiteSpeed Cache plugin <= 4.4.3 - IP Check Bypass to Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability, LiteSpeed Cache <= 4.4.3 - Authorization Bypass, LiteSpeed Cache < 4.4.4 - IP Check Bypass to Unauthenticated Stored XSS]
- LiteSpeed Cache [litespeed-cache] < 3.6.1 [CVE-2020-29172, LiteSpeed Cache <= 3.6 - Authenticated Stored Cross-Site Scripting via IP setting, LiteSpeed Cache < 3.6.1 - Authenticated Stored Cross-Site Scripting]
- LiteSpeed Cache [litespeed-cache] < 3.6.1 [WordPress LiteSpeed Cache plugin <= 3.6 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability]
- LiteSpeed Cache [litespeed-cache] < 5.3.1 [CVE-2022-46800, WordPress LiteSpeed Cache Plugin <= 5.3 is vulnerable to Cross Site Request Forgery (CSRF), LiteSpeed Cache <= 5.3 - Missing Authorization to Toggle Crawler State, LiteSpeed Cache <= 5.3 - CSRF]
+ 15 more known vulnerabilities
- LiteSpeed Cache [litespeed-cache] < 5.7 [CVE-2023-4372, LiteSpeed Cache <= 5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode, WordPress LiteSpeed Cache Plugin <= 5.6 is vulnerable to Cross Site Scripting (XSS), LiteSpeed Cache < 5.7 - Contributor+ Stored XSS]
- LiteSpeed Cache [litespeed-cache] < 5.7.0.1 [CVE-2023-45000, WordPress LiteSpeed Cache Plugin <= 5.7 is vulnerable to Broken Access Control, LiteSpeed Cache <= 5.7 - Missing Authorization via update_cdn_status, LiteSpeed Cache < 5.7.0.1 - Unauthenticated CDN Status Update]
- LiteSpeed Cache [litespeed-cache] < 5.7.0.1 [CVE-2023-40000, WordPress LiteSpeed Cache Plugin <= 5.7 is vulnerable to Cross Site Scripting (XSS), LiteSpeed Cache <= 5.7 - Unauthenticated Stored Cross-Site Scripting via 'nameservers' and '_msg', LiteSpeed Cache < 5.7.0.1 - Unauthenticated Stored XSS]
- LiteSpeed Cache [litespeed-cache] < 6.3 [CVE-2024-3246, WordPress LiteSpeed Cache Plugin <= 6.2.0.1 is vulnerable to Cross Site Request Forgery (CSRF), LiteSpeed Cache <= 6.2.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting]
- LiteSpeed Cache [litespeed-cache] < 6.4 [CVE-2024-28000, WordPress LiteSpeed Cache Plugin <= 6.3.0.1 is vulnerable to Privilege Escalation, LiteSpeed Cache <= 6.3.0.1 - Unauthenticated Privilege Escalation]
- LiteSpeed Cache [litespeed-cache] < 6.5.0.1 [CVE-2024-44000, WordPress LiteSpeed Cache Plugin < 6.5.0.1 is vulnerable to Broken Authentication, LiteSpeed Cache <= 6.4.1 - Unauthenticated Sensitive Information Exposure via Log Files]
- LiteSpeed Cache [litespeed-cache] < 6.5 [CVE-2024-9169, WordPress LiteSpeed Cache Plugin <= 6.4.1 is vulnerable to Cross Site Scripting (XSS), litespeed cache <= 6.4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting]
- LiteSpeed Cache [litespeed-cache] < 6.5.1 [CVE-2024-47637, WordPress LiteSpeed Cache Plugin <= 6.4.1 is vulnerable to Path Traversal, LiteSpeed Cache <= 6.4.1 - Authenticated (Author+) Path Traversal]
- LiteSpeed Cache [litespeed-cache] < 6.5.1 [CVE-2024-47374, WordPress LiteSpeed Cache Plugin <= 6.5.0.2 is vulnerable to Cross Site Scripting (XSS), LiteSpeed Cache <= 6.1 - Unauthenticated Stored Cross-Site Scripting]
- LiteSpeed Cache [litespeed-cache] < 6.5.1 [CVE-2024-47373, WordPress LiteSpeed Cache Plugin <= 6.5.0.2 is vulnerable to Cross Site Scripting (XSS), LiteSpeed Cache <= 6.5.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting]
- LiteSpeed Cache [litespeed-cache] < 6.5.2 [CVE-2024-50550, WordPress LiteSpeed Cache Plugin <= 6.5.1 is vulnerable to Privilege Escalation, LiteSpeed Cache <= 6.5.1 - Unauthenticated Privilege Escalation]
- LiteSpeed Cache [litespeed-cache] < 6.5.3 [CVE-2024-51915, WordPress LiteSpeed Cache Plugin <= 6.5.2 is vulnerable to Cross Site Scripting (XSS), LiteSpeed Cache <= 6.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting]
- LiteSpeed Cache [litespeed-cache] < 7.1 [CVE-2025-47437, LiteSpeed Cache <= 7.0.1 - Authenticated (Editor+) Server-Side Request Forgery, EUVD-2025-27442]
- LiteSpeed Cache [litespeed-cache] < 7.6 [CVE-2025-12450, LiteSpeed Cache <= 7.5.0.1 - Reflected Cross-Site Scripting]
- LiteSpeed Cache [litespeed-cache] < 7.8 [CVE-2026-3375, LiteSpeed Cache <= 7.7 - Unauthenticated Stored Cross-Site Scripting via QUIC.cloud CCSS/UCSS REST API Endpoints]
Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.
Safer / more established alternatives
- WP Super Cache — 1000000+ active installs — max PHP 8.4
- Speed Optimizer – The All-In-One Performance-Boosting Plugin — 1000000+ active installs — max PHP 8.4
- WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance — 1000000+ active installs — max PHP <8.0
- WP Fastest Cache – WordPress Cache Plugin — 1000000+ active installs — max PHP 8.4
- W3 Total Cache — 900000+ active installs
Check your own WordPress site
Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.