A crucial vulnerability within the WordPress plugin LayerSlider might permit unauthenticated attackers to extract password hashes through SQL injection.
The bug, tracked as CVE-2024-2879, has a CVSS rating of 9.8 and impacts LayerSlider variations 7.9.11 by means of 7.10.0. A patch for the flaw was first made obtainable on March 27 with the discharge of LayerSlider 7.10.1.
LayerSlider is a visible net content material, graphic design and digital visible results plugin with “hundreds of thousands” of customers worldwide, in keeping with its web site.
The LayerSlider vulnerability was found and reported by AmrAwad throughout Wordfence’s Bug Bounty Extravaganza on March 25, incomes the researcher a $5,500 bounty, the best ever paid out by Wordfence.
The potential for SQL injection lies in LayerSlider’s perform to question slider popup markups. If the “id” parameter of the “ls_get_popup_markup” perform is just not a quantity, it’s not sanitized earlier than it’s handed to the “discover” perform.
Moreover, whereas the plugin escapes $args values utilizing the “esc_sql” perform, the “the place” key’s excluded from this escaping perform and thus attacker-controlled inputs contained inside “the place” may be included in queries to the sufferer’s database.
Because of this, an attacker might craft a request manipulating “id” and “the place” to extract delicate data, together with password hashes, from the database.
Nevertheless, UNION-based SQL injections aren’t attainable when exploiting this vulnerability as a result of construction of the queries, so an attacker would wish to take the extra step of together with SQL CASE statements and the “SLEEP” command of their requests.
This technique, often called time-based blind SQL injection, includes not directly extracting information by monitoring the response time of the database server primarily based on the required true/false CASE statements and the SLEEP time.
Repeatedly querying the database with totally different CASE circumstances and observing the response time ultimately allows the attacker to find out the values contained within the database.
“That is an intricate, but regularly profitable technique to acquire data from a database when exploiting SQL Injection vulnerabilities,” Wordfence said in its weblog submit concerning the LayerSlider vulnerability.
Weak WordPress plugins are a well-liked entry level for menace actors to extract information or compromise WordPress websites. For instance, a cross-site scripting flaw within the Popup Builder plugin, tracked as CVE-2023-6000, was leveraged to unfold Balada Injector malware on greater than 6,700 WordPress websites in January.
Balada Injector was additionally deployed on greater than 9,000 websites susceptible to the TagDiv Composer plugin flaw tracked as CVE-2023-3169 final October. Total, greater than one million WordPress websites have been compromised within the Balada Injector marketing campaign over the previous six years, in keeping with Sucuri.
