Privilege Escalation in LiteSpeed Cache for WordPress

This repository contains a C# Proof of Concept (PoC) exploit for CVE-2024-28000, a critical privilege escalation vulnerability in the LiteSpeed Cache plugin for WordPress. The exploit targets sites running vulnerable versions (below 6.4) of the plugin, which uses a weak and predictable security hash for its user simulation feature. The main code file, Program.cs, implements the following capabilities: - Checks for the presence and version of the LiteSpeed Cache plugin on a target WordPress site. - Attempts to brute-force the weak security hash used by the plugin. - If successful, sends a crafted request to the WordPress REST API endpoint (/wp-json/wp/v2/users) to create a new administrator user, thereby granting the attacker full admin access. - Includes optional Google Dorking functionality to help identify potential targets. The exploit is a standalone .NET 8 application and requires only the target URL, desired admin username, and password as input. The repository also includes documentation in both English and Farsi, Visual Studio project files, and NuGet package references. No fake or destructive code is present; the exploit is a legitimate PoC for the described vulnerability.

This repository provides a Python proof-of-concept exploit for CVE-2024-28000, a privilege escalation vulnerability in the LiteSpeed Cache WordPress plugin (versions prior to 6.4). The exploit targets the plugin's weak security hash mechanism, allowing an unauthenticated attacker to brute-force the hash and impersonate an administrator. The main script, 'litespeed_cache_poc.py', first triggers the hash generation via an AJAX request, then launches a multi-threaded brute-force attack against the WordPress REST API by sending requests with different hash values in cookies. Upon finding a valid hash, the script uses the gained privileges to create a new administrator user on the target site. The repository includes a README with detailed usage instructions and a requirements.txt listing the 'requests' library as a dependency. The exploit is a functional PoC and does not belong to any exploit framework.

This repository provides a proof-of-concept (PoC) exploit for CVE-2024-28000, a critical privilege escalation vulnerability in the LiteSpeed Cache plugin for WordPress (versions prior to 6.4). The repository contains two main Python scripts: 1. checkdebuglog.py: Scans a list of target URLs to identify WordPress sites with an exposed debug.log file at /wp-content/debug.log. This file is required for the exploit to succeed. 2. exploit.py: Automates the exploitation process. It first triggers the LiteSpeed plugin to generate a hash, retrieves the correct hash from the exposed debug.log, and then uses this information to create a new administrator user on the target site via the WordPress REST API. Optionally, it can also deactivate the Wordfence security plugin by sending a crafted AJAX request. The exploit requires the target to have an accessible debug.log file and a vulnerable version of the LiteSpeed Cache plugin. The payload is operational, as it results in the creation of a new admin user and can disable security plugins, providing full administrative access to the attacker. The repository is well-structured, with clear separation between detection and exploitation scripts, and includes documentation and licensing information.

This repository contains a Go-based exploit for CVE-2024-28000, targeting the LiteSpeed Cache WordPress plugin (versions <=6.3). The main exploit logic is in 'exp.go', which interacts with a target WordPress site to check for vulnerability, enumerate users, and attempt to create a new administrator account by exploiting improper authentication in the plugin. The exploit works by forging cookies and sending a crafted JSON payload to the /wp-json/wp/v2/users endpoint. The code includes user prompts for the target site, desired username, password, and user ID, and uses concurrency to brute-force the required hash value. The repository is structured with a single main exploit file, Go module files, a workflow for building binaries, and a README describing the vulnerability and usage. The exploit is operational and provides full administrative access to vulnerable sites.