Critical flaw in LayerSlider WordPress plugin impacts 1 million sites

A premium WordPress plugin named LayerSlider, used in over one million sites, is vulnerable to unauthenticated SQL injection, requiring admins to prioritize applying security updates for the plugin.

LayerSlider is a versatile tool for creating responsive sliders, image galleries, and animations on WordPress sites, allowing users to build visually appealing elements with dynamic content on online platforms.

Researcher AmrAwad discovered the critical (CVSS score: 9.8) flaw, tracked as CVE-2024-2879, on March 25, 2024, and reported it to WordPress security firm Wordfence via its bug bounty program. For his responsible reporting, AmrAwad received a bounty of $5,500.

The flaw, which impacts versions 7.9.11 through 7.10.0 of the plugin, could allow attackers to extract sensitive data, such as password hashes, from the site’s database, putting them at risk of complete takeover or data breaches.

Technical details provided in Wordfence’s report reveal that the vulnerability existed within the plugin’s ‘ls_get_popup_markup’ function’s handling of the ‘id’ parameter.

Advertisements

This function fails to sanitize the ‘id’ parameter properly, allowing attackers to inject malicious SQL code into specially crafted queries, resulting in command execution.

Part of the vulnerable code
Part of the vulnerable code (Wordfence)

The structure of the possible queries limits the attack to time-based blind SQL injection, meaning that the attackers need to observe the response times to infer data from the database.

Despite this limitation, CVE-2024-2879 still enables malicious actors to extract information from the site’s database without requiring any authentication on the site, including password hashes and sensitive user information.

Wordfence explains that the issue is further exacerbated because the queries are not prepared using WordPress’s ‘$wpdb->prepare()’ function, which prevents SQL injection by ensuring that user input is sanitized before being used in database queries.

The plugin’s creator, Kreatura Team, was immediately notified of the flaw and quickly acknowledged the report. The developers released a security update on March 27, 2024, less than 48 hours after initial contact.

All users of LayerSlider are recommended to upgrade to version 7.10.1, which addresses the critical vulnerability.

In general, it is important for WordPress site admins to keep all their plugins up to date, disable those that aren’t needed, use strong account passwords, and deactivate dormant accounts that can be hijacked.