Attackers can exploit a critical SQL injection vulnerability in a widely used system WordPress plugins to compromise more than 1 million sites and extract sensitive data such as password hashes from associated databases.
He called a security researcher AmrAwad (aka 1337_Wannabe) discovered the bug in LayerSlider, a plugin for creating animated web content. The security flaw, tracked as CVE-2024-2879, has a rating of 9.8 out of 10 on the CVSS 3.0 vulnerability severity scale and is associated with the “ls_get_popup_markup” action in LayerSlider versions 7.9.11 and 7.10.0. The vulnerability is due to “insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query,” according to Wordfence.
“This allows unauthenticated attackers to add additional SQL queries to already existing queries that can be used to extract sensitive information from the database,” the company said.
According to a report, Wordfence awarded the researcher a reward of $5,500, the highest reward given by the company to date. blog post by Wordfence. AmrAwad’s March 25 report came as part of Wordfence’s second Bug Bounty Extravaganza, and the company contacted the Kreatura team, developers of the plugin, on the same day to inform them of the flaw. The team responded the next day and shipped a patch in LayerSlider version 7.10.1 on March 27.
Exploit LayerSlider’s SQL injection flaw
The potential for exploitation of the vulnerability lies in the insecure implementation of the LayerSlider plugin’s popup slider markup query functionality, which has an “id” parameter, according to Wordfence.
According to the company, “if the ‘id’ parameter is not a number, it is passed without cleanup to the find() function in the LS_Sliders class,” which “queries the sliders to construct a statement without the prepare() function .”
Since such a feature would “parameterize and escape the SQL query for safe execution in WordPress, thus providing protection against SQL injection attacks,” its absence creates a vulnerable scenario, according to Wordfence.
However, exploiting the flaw requires a “blind time-based approach” by attackers to extract information from the database, which is “a complex, but often effective, method of obtaining information from a database when exploiting SQL Injection vulnerability,” according to Wordfence.
“This means they would need to use SQL CASE statements in conjunction with the SLEEP() command while respecting the response time of each request to steal information from the database,” the company explained.
Protect WordPress, protect the Web
Vulnerable WordPress sites they are a popular target for attackers, given the widespread use of content management system on the Internet, and often Vulnerabilities exist in plug-ins that independent developers create to add functionality to sites that use the platform.
In fact, at least 43% of websites on the entire Internet use WordPress to power your sites, e-commerce applications, and communities. Additionally, the wealth of sensitive data such as user passwords and payment information often stored within their pages presents a significant opportunity for threat actors seeking to abuse it.
Making “the WordPress ecosystem more secure… ultimately makes the entire web more secure,” WordPress noted.
Wordfence advises WordPress users with LayerSlider installed on sites to immediately ensure they are updated to the latest patched version of the plugin to ensure it is not vulnerable to exploits.