Incorrect Privilege Assignment vulnerability in LiteSpeed Cache allows Privilege Escalation
CVE-2024-28000
Key Information:
- Vendor
- Litespeed Technologies
- Status
- Litespeed Cache
- Vendor
- CVE Published:
- 21 August 2024
Badges
Summary
The CVE-2024-28000 vulnerability is found in the widely-used LiteSpeed Cache Plugin for WordPress websites, allowing unauthenticated users to gain administrator-level access and create new user accounts with the administrator role. This critical privilege escalation vulnerability has a high CVSS score of 9.8 and has been patched in version 6.4 of the plugin. It is advised to update the plugin immediately to protect against potential exploitation. The vulnerability stems from the pluginโs user simulation feature and poses a significant risk to the security of WordPress websites. Although it has not been exploited by ransomware groups, researchers have warned that active exploitation is likely to occur soon.
Affected Version(s)
LiteSpeed Cache 1.9 <= 6.3.0.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
Get notified when SecurityVulnerability.io launches alerting ๐
Well keep you posted ๐ง
News Articles
WP TavernCVE-2024-28000Record Bounty Awarded as Critical Privilege Escalation Vulnerability Patched in LiteSpeed Cache Plugin
The LiteSpeed Cache Plugin, widely used to enhance the speed and performance of WordPress websites, recently patched a critical unauthenticated privilege escalation vulnerability (CVE-2024-28000). โฆ
5 months ago
References
CVSS V3.1
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
- ๐ฐ
First article discovered by WP Tavern
Vulnerability published
Vulnerability Reserved