Threat update

An unauthenticated Structured Query Language (SQL) injection vulnerability, known as CVE-2024-2879, has been found in the WordPress plugin LayerSlider.

Technical Detail and Additional Info

What is the threat?

The vulnerability is found in LayerSlider WordPress plugin versions 7.9.11 and 7.10.0. It has a CVSS score of 9.8 and could be susceptible to SQL injection through the ls_get_popup_markup action. It is caused by insufficient escaping on the user-supplied parameter and the absence of wpdb::prepare(). Due to this, unauthenticated attackers can add new SQL queries to ones that already exist. They can also retrieve sensitive data like password hashes from the database.

In this vulnerability, the ls_get_popup_markup action of the plugin was impacted and by using the 'id' argument to define "id," the plugin can query slider markup for popups. If the parameter includes no specific number, the plugin will pass the query without doing any sanitization, eventually allowing SQL injection. 

Why is it noteworthy?

 SQL injection attacks are one of the oldest and most dangerous web application vulnerabilities. SQL injection exploit is successful, it can read sensitive data from the database. It can also alter database data (insert/update/delete), perform database administration tasks like stopping the database management system (DBMS), retrieve the contents of a specific file that is located on the DBMS file system, and occasionally even send commands to the operating system. The query's structure restricts the attack surface to a time-based strategy. Thus, requiring an adversary to track the duration of each request's response to obtain database data.

What is the exposure or risk?

Over 40 percent of websites use WordPress to power their websites, e-commerce applications, and communities. There are more than 1,000,000 WordPress sites installed with LayerSlider due to its ease of use to create visually appealing websites. Considering the content management system's widespread use across the Internet, it raises concerns about the significant security risk. 

What are the recommendations?

 LBT Technology Group recommends the following actions to stay protected against this vulnerability:

• Verify LayerSlider is updated to version 7.10.1 or newer.
• Evaluate and minimize the privileges granted to your application to reduce the likelihood of unauthorized access attempts.
• Evaluate and minimize the privileges assigned to every database account in your environment.
• Review user activity on the machine regularly.
• Check for software installations. Remove software that does not comply with company policy or has the potential to compromise the integrity of the host system.

References

 For more in-depth information about the recommendations, please visit the following links:

• https://www.darkreading.com/remote-workforce/critical-security-flaw-wordpress-sql-injection
• https://www.wordfence.com/blog/2024/04/5500-bounty-awarded-for-unauthenticated-sql-injection-vulnerability-patched-in-layerslider-wordpress-plugin/
• https://nvd.nist.gov/vuln/detail/CVE-2024-2879
• https://layerslider.com/release-log/
• https://latesthackingnews.com/2024/04/05/layerslider-wordpress-plugin-vulnerability-affected-thousands-of-websites/amp/

If you have any questions, please contact LBT's Sales Engineer.