A critical security flaw affecting the LayerSlider WordPress plugin could be exploited to extract sensitive information from databases, such as password hashes.
The flaw, designated CVE-2024-2879, carries a CVSS score of 9.8 out of a possible 10.0. It was described as a case of SQL injection that impacted versions 7.9.11 through 7.10.0.
The issue was fixed in version 7.10.1 released on March 27, 2024, following the responsible disclosure on March 25. “This update includes important security fixes,” LayerSlider maintainers said in their release notes.
LayerSlider is a visual web content editor, graphic design and digital visual effects software that allows users to create rich animations and content for their websites. According to its site, the plugin is used by “millions of users around the world.”
The flaw discovered in the tool stems from a case of insufficient leakage of user-supplied parameters and the absence of wpdb::prepare(), allowing unauthenticated attackers to add additional SQL queries and collect sensitive information, Wordfence said.
The development follows the discovery of an unauthenticated stored cross-site scripting (XSS) flaw in the WP-Members Membership Plugin (CVE-2024-1852, CVSS score: 7.2) that could facilitate the execution of arbitrary JavaScript code. It has been fixed in version 3.4.9.3.
The vulnerability, due to insufficient input sanitization and output escaping, “allows unauthenticated attackers to inject arbitrary web script into pages that will be executed whenever a user accesses an inserted page that is the modification of users,” the WordPress security firm said.
If the code were executed in the context of an administrator’s browser session, it could be used to create unauthorized user accounts, redirect site visitors to other malicious sites, and carry out other attacks, he added.
In recent weeks, security vulnerabilities have also been found in other WordPress plugins such as Tutor LMS (CVE-2024-1751, CVSS score: 8.8) and Contact Form Entries (CVE-2024-2030, CVSS score: 6.4) which They could be exploited to disclose information and inject arbitrary web scripts, respectively.