LiteSpeed Cache < 6.4 – Unauthenticated Privilege Escalation | CVE 2024-28000 | Plugin Vulnerabilities

Description

The plugin is vulnerable to privilege escalations due to the plugin not properly restricting the role simulation functionality allowing a user to set their current ID to that of an administrator, if they have access to a valid hash which can be found in the debug logs or brute forced. This makes it possible for unauthenticated attackers to spoof their user ID to that of an administrator, and then create a new user account with the administrator role utilizing the /wp-json/wp/v2/users REST API endpoint. In some environments, the crawler may be disabled making this a non-exploitable issue in those instances.

Affects Plugins

litespeed-cache

Fixed in 6.4

References

CVE

URL

https://patchstack.com/database/vulnerability/litespeed-cache/wordpress-litespeed-cache-plugin-6-3-0-1-unauthenticated-privilege-escalation-vulnerability

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

John Blackbourn

Verified

No

WPVDB ID

281572e9-5b4f-44ad-b2d8-da2be29a8122

Timeline

Publicly Published

2024-08-21 (about 1 year ago)

Added

2024-08-21 (about 1 year ago)

Last Updated

2024-08-21 (about 1 year ago)

Other

Published

Title

Published

2025-03-18

Title

BoomBox Theme Extensions < 1.8.1 - Subscriber+ Privilege Escalation via Password Reset/Account Takeover in boombox_ajax_reset_password

Published

2017-10-31

Title

Shortcodes Ultimate <= 5.0.0 - Authenticated Contributor Code Execution

Published

2025-04-23

Title

My Tickets – Accessible Event Ticketing < 2.0.17 - Authenticated (Subscriber+) Privilege Escalation

Published

2026-03-20

Title

Creator LMS < 1.1.19 - Contributor+ Privilege Escalation

Published

2024-04-25

Title

Barcode Scanner with Inventory & Order Manager < 1.5.4 - Unauthenticated Privilege Escalation