SQL Injection Vulnerability in LayerSlider Plugin for WordPress
CVE-2024-2879

9.8CRITICAL

Key Information:

Vendor
Wordpress
Status
Layerslider
Vendor
CVE Published:
3 April 2024

Badges

📈 Trended📈 Score: 4,780👾 Exploit Exists📰 News Worthy

What is CVE-2024-2879?

CVE-2024-2879 is a notable vulnerability found in the LayerSlider plugin for WordPress, a widely used tool designed for creating responsive sliders and web content. The vulnerability is classified as an SQL injection flaw, which primarily arises from insufficient input validation and escaping. This flaw enables unauthenticated attackers to manipulate database queries, potentially leading to unauthorized access to sensitive data. The implications for organizations can be severe, as it opens up pathways for data breaches and compromises the integrity of critical information stored within the database.

Technical Details

The vulnerability is linked to the ls_get_popup_markup action within the LayerSlider plugin, specifically in versions 7.9.11 and 7.10.0. The vulnerability results from a lack of proper sanitization on user-supplied parameters combined with insufficient preparation of existing SQL queries. As a result, attackers can inject malicious SQL commands into existing queries, allowing them to execute arbitrary SQL commands that can extract or manipulate data stored in the database. This exposes database contents, including user data, to unauthorized parties, making it a significant concern for web administrators using this plugin.

Impact of the Vulnerability

  1. Data Breach Risk: Exploiting this vulnerability can allow attackers to access sensitive information stored in the database, including user credentials and personal data, leading to potential identity theft or misuse of information.

  2. Website Integrity Compromise: The ability to manipulate database queries could enable attackers to alter or delete content, affecting the overall integrity and functionality of the website. This may also disrupt services and deter customers.

  3. Reputational Damage: Organizations affected by this vulnerability may experience significant reputational harm due to data breaches or service malfunctions, resulting in loss of customer trust and adverse impacts on business operations.

Affected Version(s)

LayerSlider 7.9.11 <= 7.10.0

News Articles

favicon imageQualys Security Blog

WordPress LayerSlider Plugin: SQL Injection Vulnerability | Qualys Security Blog

On March 25th, 2024, a critical security vulnerability was discovered in the LayerSlider plugin for WordPress, marked as CVE-2024-2879. The plugins have more…

9 months ago

favicon imageTuxCare

CVE-2024-2879 Archives

LayerSlider Plugin Flaw Exposes 1M... Recent media reports have revealed a crucial LayerSlider plugin flaw. According to these reports, this flaw has exposed numerous...

10 months ago

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://layerslider.com/release-log/

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📈

    Vulnerability started trending

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by alinaa-cybersecurity.com

  • Vulnerability published

Credit

A.AWAD
.