Skip to main content

Security: LiteSpeed plugin automatically removed during nightly update - May 19, 2026

David Hertenstein
  • Updated

Latest Article Changes:

05/20/26 07:25AM CST: Updated to clarify that only the cPanel Plugin should be disabled.

Situation

A security vulnerability was found in the plugin provided by LiteSpeed that allowed unauthorized root access to the server.

Impact

In order to mitigate this vulnerability further, it is recommended to disable the LiteSpeed User-End Plugin for cPanel. This plugin will be automatically removed as part of the cPanel update on May 19, 2026, for all cPanel versions.

Note: The LiteSpeed web service will continue to function without issue.

Call to Action

The LiteSpeed plugin will be automatically disabled as part of the cPanel update process. Run the following to ensure that cPanel is fully up-to-date: 

# /scripts/upcp --force

To immediately process the plugin removal, the following command should be run:

# /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall

 

Additional Information

Security: SEC-73728 cPanel & WHM / WP2 Security Update - May 19, 2026

Security: SEC-73755 cPanel & WHM / WP2 Security Update - May 19, 2026

Related articles

Comments

4 comments

Date Votes
  • slim

    Some basic info would be helpful!? Example: Effected version of the plugin, URL of LiteSpeed advisory, version (or expected version that will be patched) etc.

    0
  • Joacim Winberg
    • Edited

    litespeed plugin loads even though it seems uninstalled, /cgi/lsws/lsws.cgi shows the admin page

    Also, why wasn't this communicated in an email as the other ones?

    0
  • Mauritz Swanepoel

    Feedback I received from LiteSpeed Support:

    If you cannot upgrade immediately, please run the following command as root to remove the plugin:

    /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall

    This will remove the vulnerable User-End plugin from existing accounts and prevent it from being installed on new accounts.

    How to Check If Your Server Has Been Exploited
    To verify whether your server has been affected, run:

    grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

    • No results → Your server is clean.
    • Any output → Please copy the results and contact our support team.
    0
  • ITHKBO

    It has been 8 hours and still the instructions contain a absolute rookie mistake
    /usr/local/lsws/admin/misc/lscmctl cpanelplugin --autoinstall 0

    Instead of the correct
    /usr/local/lsws/admin/misc/lscmctl cpanelplugin -autoinstall 0

    cgi/lsws/lsws.cgi still works after the supposed patch as already mentioned by others which is to be expected knowing what the script does. However it is very unclear if that is really enough mitigation.
    Because of the wording of the security advisory that states "it is recommended to disable the LiteSpeed cPanel/WHM plugin"

    Do we need to run in addition /usr/local/cpanel/whostmgr/docroot/cgi/lsws/lsws_whm_plugin_uninstall.sh
    See step 2 documentation Litespeed: https://docs.litespeedtech.com/lsws/cp/cpanel/uninstall/
    Or is cPanel mitigation all that is needed as of this moment.

    I appreciate the quick response but lets keep it also a safe, working and good response.
    We neede a little less hastily written and worst less not verified documentation. "This hits customers"

    0

Article is closed for comments.