CVE-2024-28000
📋 TL;DR
This vulnerability allows unauthenticated attackers to escalate privileges in the LiteSpeed Cache WordPress plugin. Attackers can gain administrative access to affected WordPress sites without requiring any authentication. All WordPress sites running LiteSpeed Cache versions 1.9 through 6.3.0.1 are affected.
💻 Affected Systems
- LiteSpeed Cache WordPress Plugin
📦 What is this software?
Litespeed Cache by Litespeedtech
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover where attackers gain full administrative control, can install backdoors, steal sensitive data, deface websites, or use the site for further attacks.
Likely Case
Attackers gain administrative access to compromise the WordPress site, potentially leading to data theft, malware injection, or site defacement.
If Mitigated
With proper network segmentation and monitoring, impact could be limited to the affected web server, but administrative access still poses significant risk.
🎯 Exploit Status
Public exploit code is available, making this easily weaponizable. No authentication required for exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.3.0.2 and later
Vendor Advisory: https://www.litespeedtech.com/products/cache-plugins/wordpress-acceleration
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find LiteSpeed Cache and click 'Update Now'. 4. Alternatively, download version 6.3.0.2+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable LiteSpeed Cache Plugin
allTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate litespeed-cache
Restrict Access to WordPress Admin
allLimit access to WordPress admin interface using IP whitelisting or firewall rules
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block privilege escalation attempts
- Enable strict monitoring of WordPress admin user creation and privilege changes
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for LiteSpeed Cache version. If version is between 1.9 and 6.3.0.1 inclusive, you are vulnerable.Check Version:
wp plugin get litespeed-cache --field=versionVerify Fix Applied:
Verify LiteSpeed Cache plugin version is 6.3.0.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unexpected admin user creation
- Privilege escalation attempts in WordPress logs
- Unauthenticated requests to LiteSpeed Cache endpoints
Network Indicators:
- Unusual traffic to /wp-admin/admin-ajax.php with litespeed_cache parameters
- Multiple failed login attempts followed by successful admin access
SIEM Query:
source="wordpress.log" AND ("admin_user_created" OR "user_role_changed" OR "litespeed_cache" AND "unauthorized")🔗 References
- https://patchstack.com/articles/critical-privilege-escalation-in-litespeed-cache-plugin-affecting-5-million-sites?_s_id=cve
- https://patchstack.com/database/vulnerability/litespeed-cache/wordpress-litespeed-cache-plugin-6-3-0-1-unauthenticated-privilege-escalation-vulnerability?_s_id=cve
- https://packetstorm.news/files/id/200819/
- https://thehackernews.com/2024/08/critical-flaw-in-wordpress-litespeed.html?m=1
- https://www.exploit-db.com/exploits/52328
