Major WordPress Plugin Exposes Millions of Sites to Data Theft

A severe security flaw discovered in the popular LayerSlider WordPress plugin has potentially put over a million websites at risk of data breaches. The vulnerability, designated CVE-2024-2879 with a CVSS score of 9.8 (critical), could allow unauthenticated attackers to inject malicious SQL code and steal sensitive information from the underlying WordPress database.

The Flaw and Its Consequences

The SQL injection vulnerability, responsibly disclosed by security researcher Amr Awad during Wordfence’s Bug Bounty Extravaganza, stems from improper input sanitization in the plugin’s code. Attackers can exploit this weakness to manipulate database queries, potentially extracting:

  • Usernames and password hashes
  • Website configuration settings
  • Customer data (if stored within the WordPress database)
  • Other sensitive information

The Scope of the Problem

The LayerSlider plugin boasts over a million active installations, making this vulnerability a significant cause for concern. Websites using outdated versions of the plugin are particularly vulnerable and should take immediate action to protect themselves.

Technical Breakdown

The flaw originates from the plugin’s slider popup markup query functionality, specifically within the ls_get_popup_markup() function. This function fails to properly sanitize the ‘id’ parameter, leading to the potential injection of harmful SQL queries. This oversight, coupled with the absence of the essential wpdb->prepare() function, leaves the door wide open for SQL injection attacks.

Interestingly, the nature of the CVE-2024-2879 vulnerability requires attackers to employ a time-based blind SQL injection approach. This method, albeit more intricate and time-consuming, has proven effective in bypassing conventional security measures to siphon off valuable data stealthily.

The Importance of Updates

The developers of LayerSlider have swiftly responded to the vulnerability, releasing a patched version (7.10.1) to address the issue. Website owners using the LayerSlider plugin are strongly urged to update to the latest version immediately.

Steps to Protect Your WordPress Site

  1. Update Immediately: If you use LayerSlider, update to version 7.10.1 or later as soon as possible.
  2. Regular Patching: Keep WordPress itself, all plugins, and themes updated to address known vulnerabilities.
  3. Consider a Web Application Firewall (WAF): A WAF can provide an extra layer of defense by detecting and blocking common web attacks, including SQL injection attempts.