A researcher received a $5,500 bug bounty for discovering a vulnerability (CVE-2024-2879) in LayerSlider, a plug-in with more than a million active installations.
April 4, 2024
Attackers can exploit a critical SQL injection vulnerability found in a widely used WordPress plug-in to compromise more than 1 million sites and extract sensitive data such as password hashes from associated databases.
A security researcher called AmrAwad (aka 1337_Wannabe) discovered the bug in the LayerSlider, a plug-in for creating animated Web content. The security flaw, tracked as CVE-2024-2879, has a rating of 9.8 out of 10 on the CVSS 3.0 vulnerability-severity scale, and is associated with the "ls_get_popup_markup" action in versions 7.9.11 and 7.10.0 of LayerSlider. The vulnerability is due to "insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query," according to Wordfence.
"This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database," the company said.
Wordfence awarded the researcher a bounty of $5,500 — the company's highest bounty to date — for the discovery, according to a blog post by Wordfence. AmrAwad's March 25 submission came as part of Wordfence's second Bug Bounty Extravaganza, and the company contacted the Kreatura Team, developers of the plug-in, the same day to notify them of the flaw. The team responded the next day and delivered a patch in version 7.10.1 of LayerSlider on March 27.
The potential for exploitation of the vulnerability lies in the insecure implementation of the LayerSlider plug-in's slider popup markup query functionality, which has an "id" parameter, according to Wordfence.
According to the firm, "if the 'id' parameter is not a number, it is passed without sanitization to the find() function in the LS_Sliders class," which "queries the sliders in a way that constructs a statement without the prepare() function."
Since that function would "parameterize and escape the SQL query for safe execution in WordPress, thereby providing protection against SQL injection attacks," its absence creates a vulnerable scenario, according to Wordfence.
However, to exploit the flaw requires a "a time-based blind approach" on the part of attackers to extract database information, which is "an intricate, yet frequently successful method to obtain information from a database when exploiting SQL Injection vulnerabilities," according to Wordfence.
"This means that they would need to use SQL CASE statements along with the SLEEP() command while observing the response time of each request to steal information from the database," the company explained.
Vulnerable WordPress sites are a popular target for attackers given the content management system's widespread use across the Internet, and often vulnerabilities exist in plug-ins that independent developers create for adding functionality to sites using the platform.
Indeed, at least 43% of websites on the entire Internet use WordPress to power their sites, e-commerce applications, and communities. Further, the wealth of sensitive data such as user passwords and payment info often stored within their pages represents a significant opportunity for threat actors who seek to misuse it.
Making "the WordPress ecosystem more secure … ultimately makes the entire web more secure," WordPress noted.
Wordfence advised that WordPress users with LayerSlider installed on sites verify immediately that they are updated to the latest, patched version of the plug-in to ensure it isn't vulnerable to exploit.
Elizabeth Montalbano, Contributing Writer
Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.
You May Also Like
Black Hat USA – Aug 3-8 – The Premier Technical Cybersecurity Conference – Learn More
Black Hat Europe – December 9-12 – Learn More
SecTor – Canada’s IT Security Conference Oct 22-24 – Learn More
2024 InformationWeek US IT Salary Report
Elastic named a Leader in The Forrester Wave™: Security Analytics Platforms, Q4 2022
2023 Global Threat Report
EMA: AI at your fingertips: How Elastic AI Assistant simplifies cybersecurity
The Foundation for Building Scalable Applications to Fuel Customer Satisfaction and Growth
Data Protection Essentials: Proactive PII Leak Prevention and Data Mapping for GDPR
How Cyber Threat Intelligence Empowers the C-Suite
EMA: AI at your fingertips: How Elastic AI Assistant simplifies cybersecurity
The Cloud Threat Landscape: Security learnings from analyzing 500+ cloud environments
The Future of Cloud Security: Attack Paths & Graph-based Technology
Black Hat USA – Aug 3-8 – The Premier Technical Cybersecurity Conference – Learn More
Black Hat Europe – December 9-12 – Learn More
SecTor – Canada’s IT Security Conference Oct 22-24 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.