CVE-2024-28000 Vulnerability Exploit: Insights for WordPress Users

Overview

On October 1st, I came across a blog post on Techpoint Africa titled “NITDA Warns WordPress Users in Nigeria.” The mention of “NITDA” and “WordPress users” immediately piqued my interest. My curiosity as a cybersecurity professional was heightened—had the Nigerian government agency uncovered a new vulnerability (CVE)? Why was this issue significant enough to make mainstream headlines?

This led me to thoroughly investigate the announced CVE-2024-28000 vulnerability using my research and cybersecurity skills, resulting in a detailed analysis and methodology for professionals and enthusiasts alike. Here’s what I covered:

What is the LiteSpeed Cache Plugin?

LiteSpeed Cache (LSC) is a server-level caching plugin developed by LiteSpeed Technologies, with over 5 million active installations. It’s a powerful tool for WordPress users, offering site acceleration and optimization features, including support for WordPress Multisite, WooCommerce, bbPress, and Yoast SEO.

Relevance to Individuals, Businesses, and Security Professionals

For individuals (bloggers, and freelancers), LSC improves website performance, resulting in faster load times and better user experience, which boosts visitor retention and engagement. For businesses, especially eCommerce platforms, LSC helps reduce cart abandonment and operational costs by optimising server resources. Security professionals find value in its ability to lower server load during Distributed Denial of Service (DDoS) attacks, contributing to website security indirectly by minimising potential attack vectors.

Related: The Rise of GenAI in Cybercrime: Analysing AsyncRAT Malware

About CVE-2024-28000 Vulnerability

CVE-2024-28000 affects the LiteSpeed Cache plugin in all versions up to 6.3.0.1. The vulnerability stems from improper restrictions in the plugin’s role simulation feature, which allows attackers to escalate privileges and impersonate administrators by exploiting the REST API. This could lead to unauthorised access and significant security breaches. This vulnerability was first reported by John Blackbourn, a member of Patchstack Alliance, and it holds the distinction of earning the highest bug bounty in WordPress history—$14,400.

Related: Addressing Email Phishing A Cybersecurity Analyst’s Case Study – Insights from the Mastercard Virtual Internship via Forage

Incident Timeline for CVE-2024-28000

• August 1, 2024: A vulnerability report was submitted by Patchstack Alliance member John Blackbourn. The team discussed the details of the vulnerability and its Proof of Concept (PoC).
• August 5, 2024: Patchstack contacted the LiteSpeed team to notify them of the vulnerability affecting their LiteSpeed Cache plugin.
• August 13, 2024: LiteSpeed released version 6.4 of the Cache plugin, addressing and patching the reported vulnerabilities.
• August 19, 2024: The vulnerabilities were officially added to the Patchstack vulnerability database.
• August 20, 2024: LiteSpeed added version 6.4 to the stable releases available for control panel plugins.
• August 21, 2024: A public security advisory was released by Patchstack to inform users about the patched vulnerabilities.

Step-by-Step Guide Exploiting CVE-2024-28000 Vulnerability

I explored a Proof of Concept (PoC) script using Visual Studio Code to demonstrate how this vulnerability could be exploited. Here’s a breakdown of the steps:

Related: Addressing Email Phishing A Cybersecurity Analyst’s Case Study – Insights from the Mastercard Virtual Internship via Forage

Step 1: Create a New Folder

Create a new folder named CVE-2024-28000 Vulnerability Testing to store the necessary files.

Step 2: Clone the Repository

Open a terminal window and clone the repository with the following command: git clone https://github.com/Alucard0x1/CVE-2024-28000.git

Step 3: Navigate to the Cloned Directory

Navigate to the cloned directory using cd CVE-2024-28000

Step 4: Verify the Files

Verify the files in the directory using the ls command.

Step 5: Install Required Libraries

Install the required Python libraries and dependencies by running: pip install -r requirements.txt

Step 6: Configure the Script

Open the litespeed_cache_poc.py script in Visual Studio Code using the explorer tab (Ctrl + P) to configure the script,

Output:

Step 7: Modify Script Variables

Modify the following variables in the script to match the target WordPress site and the administrator user ID in lines 7 and 10 respectively:
target_url = ‘http://testpoc.com’
admin_user_id = ‘2’

Step 8: Trigger Security Hash Generation

The PoC triggers the generation of a security hash on the target site using an unauthenticated AJAX request. This step is required if the LiteSpeed Cache plugin has not yet generated the security hash.

Step 9: Initiate the Brute-Force Attack

To initiate the brute-force attack, run the following command: python litespeed_cache_poc.py

Interpreting the Results

• If the script prints [SUCCESS] Valid hash found: , the exploit was successful, and administrator-level access was gained.
• If it prints [FAIL] Invalid hash: , the attempt failed due to an incorrect hash.
• If the script prints [ERROR] Unexpected response for hash: , the target site returned an unexpected status code, and the exploit did not succeed.

Mitigation Strategies for CVE-2024-28000 Vulnerability

• Update to Version 6.4 or later to patch the vulnerability.
• Implement a Web Application Firewall (WAF) to block malicious traffic.
• Regularly audit administrative accounts to remove suspicious users.
• Limit REST API access to authenticated users only.
• Disable the Crawler Simulation feature if not required, reducing the attack surface.
• Monitor website activity using security tools like Chronicle SIEM and SOAR for automated threat detection and response.

Related: The Rise of GenAI in Cybercrime: Analysing AsyncRAT Malware

Key Takeaways

This experience reinforced a few essential lessons for me:

1. Strengthening skills as a security researcher and architect is crucial for identifying and mitigating vulnerabilities.
2. Staying updated with security news ensures timely action.
3. Testing Proof of Concepts deepens understanding of real-world threats.
4. Continuous learning and practice is key to mastering cybersecurity.

Related: Addressing Email Phishing A Cybersecurity Analyst’s Case Study – Insights from the Mastercard Virtual Internship via Forage

References

Alucard0x1. (2024, August 25). LiteSpeed Cache Privilege Escalation PoC. GitHub. https://github.com/Alucard0x1/CVE-2024-28000

Akintaro, S. (2024, October 1). NITDA alerts WordPress users in Nigeria over critical security vulnerability in LiteSpeed Cache plugin. Nairametrics. https://nairametrics.com/2024/09/30/nitda-alerts-wordpress-users-in-nigeria over-critical-security-vulnerability-in-litespeed-cache-plugin/

BitNinja Security. (n.d.). Two new WAF rules released for CVE-2024-28000 vulnerability. BitNinja. https://bitninja.com/blog/two-new-waf-rules-released-for-cve-2024-28000-vulnerability/

Clarke, L. (2024, August 21). Security update for LiteSpeed Cache. LiteSpeed. https://blog.litespeedtech.com/2024/08/21/security-update-for-litespeed-cache/

CVE. (2024, August 21). CVE-2024-28000. CVE. https://www.cve.org/CVERecord?id=CVE-2024-28000

Fakiya, V. (2024, October 1). NITDA warns WordPress users in Nigeria. Techpoint Africa. https://techpoint.africa/2024/10/01/techpoint-digest-934/

Muhammad, R. (2024, August 21). Critical privilege escalation in LiteSpeed Cache plugin affecting 5+ million sites. Patchstack. https://patchstack.com/articles/critical-privilege-escalation-in-litespeed-cache-plugin-affecting-5-million-sites

Tenable. (2024, August 21). CVE-2024-28000. https://www.tenable.com/cve/CVE-2024-28000