Vulnerability Analysis

LiteSpeed Cache Privilege Escalation PoC – CVE-2024-28000

This repository contains a Proof of Concept (PoC) script for exploiting a privilege escalation vulnerability in the LiteSpeed Cache WordPress plugin.

The vulnerability, identified as CVE-2024-28000, allows unauthenticated users to gain Administrator-level access to a WordPress site by brute-forcing a weak security hash used in the plugin.

Vulnerability Overview

The LiteSpeed Cache plugin’s user simulation feature is protected by a weak security hash generated using predictable values.

An attacker can exploit this vulnerability by brute-forcing the security hash and passing it in a cookie along with a targeted user ID. If successful, the attacker can escalate their privileges to that of an Administrator.

Affected Versions

  • LiteSpeed Cache plugin versions prior to 6.4 are vulnerable.

Author

  • PoC: Alucard0x1
  • Telegram

Credit

Disclaimer

This PoC is for educational purposes only. Do not use this script to target systems without explicit permission from the system owner. Unauthorized access to systems is illegal and unethical.

Requirements

  • Python 3.x
  • requests library

Installation

Clone the repository and install the required Python package:

git clone https://github.com/Alucard0x1/CVE-2024-28000.git
cd CVE-2024-28000
pip install -r requirements.txt

How To Use

1. Set Up The Target

Edit the TARGET_SITE and ADMIN_USER_ID variables in the script to point to the target WordPress site and the user ID of the Administrator you want to impersonate.

# Target site and admin user ID
target_url = 'http://example.com'

admin_user_id = '1'

2. Trigger Hash Generation

The PoC first triggers the generation of the security hash on the target site using an unauthenticated AJAX request. This step is necessary if the crawler feature in the LiteSpeed Cache plugin has not been used, as the hash might not yet be generated.

3. Run The Brute-force Attack

Run the script to start the brute-force attack:

python litespeed_cache_poc.py

The script will attempt to brute-force the weak security hash by sending requests to the WordPress REST API. If a valid hash is found, it will print the successful hash value, and the exploit will be deemed successful.

4. Interpret The Results

  • If the script prints [SUCCESS] Valid hash found: <hash>, it means the exploit was successful, and Administrator-level access was gained.
  • If the script prints [FAIL] Invalid hash: <hash>, the attempt failed, and the hash was incorrect.
  • If the script prints [ERROR] Unexpected response for hash: <hash>, it indicates that an unexpected status code was returned from the target site.

Mitigations

To protect your WordPress site from this vulnerability, ensure that you are using the latest version of the LiteSpeed Cache plugin. Version 6.4 and above include patches that mitigate this vulnerability.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

ROADTools: The Modern Azure AD Exploration Framework

ROADTools is a powerful framework designed for exploring and interacting with Microsoft Azure Active Directory…

13 hours ago

How to Enumerate Microsoft 365 Groups Using PowerShell and Python

Microsoft 365 Groups (also known as M365 Groups or Unified Groups) are at the heart…

13 hours ago

SeamlessPass: Using Kerberos Tickets to Access Microsoft 365

SeamlessPass is a specialized tool designed to leverage on-premises Active Directory Kerberos tickets to obtain…

1 day ago

PPLBlade: Advanced Memory Dumping and Obfuscation Tool

PPLBlade is a powerful Protected Process Dumper designed to capture memory from target processes, hide…

2 days ago

HikPwn : Simple Scanner For Hikvision Devices With Basic Vulnerability Scanning

HikPwn: Comprehensive Guide to Scanning Hikvision Devices for Vulnerabilities If you’re searching for an efficient…

2 days ago

Comments in Bash Scripts

What Are Bash Comments? Comments in Bash scripts, are notes in your code that the…

1 week ago