Critical vulnerability in the LayerSlider plugin Exposes more than 1 Million WordPress Sites to SQL Injection
- Zynder Sec
- Apr 4, 2024
- 2 min read
A recent discovery by security researcher AmrAwad, also known as 1337_Wannabe, has brought to light a critical vulnerability in the LayerSlider plugin for WordPress. This flaw, identified as CVE-2024-2879, poses a severe risk to more than a million websites using the plugin, potentially allowing attackers to compromise these sites and extract sensitive data, including password hashes, from their databases.
The Vulnerability
The vulnerability, rated 9.8 out of 10 on the CVSS 3.0 vulnerability-severity scale, stems from a flaw in the "ls_get_popup_markup" action in versions 7.9.11 and 7.10.0 of LayerSlider. This flaw arises from insufficient escaping on user-supplied parameters and a lack of preparation on existing SQL queries, according to Wordfence, a WordPress security plugin.
## Exploitation and Bounty
AmrAwad's discovery earned them a bounty of $5,500 from Wordfence, marking the company's highest bounty to date. The bug was reported as part of Wordfence's second Bug Bounty Extravaganza, prompting the Kreatura Team, developers of LayerSlider, to release a patch in version 7.10.1 of the plugin on March 27.
Potential Impact
The potential for exploitation lies in the insecure implementation of LayerSlider's slider popup markup query functionality, which uses an "id" parameter. If the "id" parameter is not a number, it is passed without sanitization to the find() function in the LS_Sliders class, creating a vulnerable scenario for attackers.
To exploit the flaw, attackers would need to use a "time-based blind approach" to extract database information. This method involves using SQL CASE statements along with the SLEEP() command to steal information from the database while observing the response time of each request.
Secure Your Site
Given WordPress's widespread use across the Internet, vulnerable WordPress sites are a prime target for attackers. It is crucial for WordPress users with LayerSlider installed to ensure they are using the latest, patched version of the plugin to protect their sites from exploitation.
Securing the WordPress ecosystem not only protects individual sites but also contributes to the overall security of the web. As WordPress powers a significant portion of websites, securing it helps safeguard the wealth of sensitive data stored within its pages, ultimately benefiting all users of the Internet.
Stay informed and stay safe online!
Comments