Million+ Sites at Risk: LayerSlider Vulnerability (CVE-2024-2879) Found

In the widely utilized WordPress plugin LayerSlider, which is employed on over a million websites to craft responsive sliders, image galleries, and animations, a critical vulnerability was recently identified that enables SQL injection without the need for authentication.

This vulnerability, designated CVE-2024-2879, was discovered by researcher Amr Awad on March 25, 2024. It was promptly reported to Wordfence, a company specializing in WordPress security, as part of a vulnerability disclosure program. For his responsible disclosure, Awad received a reward of $5,500.

The issue affects plugin versions from 7.9.11 to 7.10.0 and could lead to the extraction of sensitive data from the site’s database, including password hashes, posing a risk of complete control takeover or data leakage.

According to Wordfence‘s report, the security flaw arises from improper handling of the “id” parameter in the “ls_get_popup_markup” function, allowing attackers to inject malicious SQL code. This leads to the execution of commands and the potential to extract information without needing to authenticate on the site.

However, the feasibility of the attack is limited by the need for attackers to analyze response times to extract data, which slightly complicates the process.

The Kreatura developer team, responsible for the plugin’s creation, was promptly informed about the issue and swiftly released a security update on March 27, 2024, just a few days after the vulnerability was identified.

All LayerSlider users are strongly advised to update the plugin to version 7.10.1 to mitigate the vulnerability. In general, WordPress site administrators are encouraged to regularly update all utilized plugins, deactivate unnecessary ones, employ robust passwords, and deactivate inactive accounts to enhance their level of protection.