Critical WordPress Plugin Vulnerability Exposes 1 Million Sites to SQL Injections

A researcher recently discovered a critical vulnerability in LayerSlider, a premium WordPress plugin used by over 1 million websites.

The flaw exposes impacted websites to unauthenticated SQL injection attacks, letting potential attackers retrieve significant data.

LayerSlider, the vulnerable plugin, is a popular tool that lets website owners create image galleries, animations, and responsive sliders.

Critical Flaw Reported to Bug Bounty Program

Tracked as CVE-2024-2879, the SQL injection vulnerability, which has a CVSS score of 9.8 and is flagged as critical, affects plugin versions 7.9.11 through 7.10.0. It was discovered by researcher AmrAwad on March 25, 2024, and submitted to the bug bounty program of WordPress security firm Wordfence.

As the flaw description reads, the weak spot is the plugin’s ls_get_popup_markup action, “due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.”

Allows Unauthenticated SQL Injection Attacks

This shortcoming could let attackers append additional SQL queries into existing ones, weaponizing them to steal data, including sensitive user information and password hashes.

To make matters worse, threat actors could perform these attacks without authenticating on vulnerable websites.

Following a SQL injection attack, the extracted data could let attackers breach confidential information and seize complete control of the affected website.

Vulnerable Websites Risk Being Weaponized

Full takeovers of affected websites could seriously affect visitors, who would likely be unaware that a malicious entity has taken control.

In this scenario, attackers could further exploit the situation by pushing malware-laced content on unsuspecting visitors, stealthily harvesting their data, leading them to phishing forms, or redirecting them to other malicious destinations.

According to Wordfence’s report, the “prepare() function would parameterize and escape the SQL query for safe execution in WordPress, thereby providing protection against SQL injection attacks.”

Patch Released, Update Strongly Recommended

After being promptly notified of the issue, the plugin’s developer, Kreatura Team, released a security update in less than 48 hours.

The shortcoming has been patched in version 7.10.1 of the LayerSlider plugin; users are advised to update to the latest version to avoid SQL injection attacks targeting vulnerable versions of the plugin.