WordPress LayerSlider plugin bug risks password hash extraction – SC Media

Credit: Adobe Stock Images
A critical vulnerability in the WordPress plugin LayerSlider could allow unauthenticated attackers to extract password hashes via SQL injection.
The bug, tracked as CVE-2024-2879, has a CVSS score of 9.8 and affects LayerSlider versions 7.9.11 through 7.10.0. A patch for the flaw was first made available on March 27 with the release of LayerSlider 7.10.1.
LayerSlider is a visual web content, graphic design and digital visual effects plugin with “millions” of users worldwide, according to its website.
The LayerSlider vulnerability was discovered and reported by AmrAwad during Wordfence’s Bug Bounty Extravaganza on March 25, earning the researcher a $5,500 bounty, the highest ever paid out by Wordfence.

The potential for SQL injection lies in LayerSlider’s function to query slider popup markups. If the “id” parameter of the “ls_get_popup_markup” function is not a number, it is not sanitized before it is passed to the “find” function.
Additionally, while the plugin escapes $args values using the “esc_sql” function, the “where” key is excluded from this escaping function and thus attacker-controlled inputs contained within “where” can be included in queries to the victim’s database.
As a result, an attacker could craft a request manipulating “id” and “where” to extract sensitive information, including password hashes, from the database.
However, UNION-based SQL injections are not possible when exploiting this vulnerability due to the structure of the queries, so an attacker would need to take the additional step of including SQL CASE statements and the “SLEEP” command in their requests.
This method, known as time-based blind SQL injection, involves indirectly extracting data by monitoring the response time of the database server based on the specified true/false CASE statements and the SLEEP time.
Repeatedly querying the database with different CASE conditions and observing the response time eventually enables the attacker to determine the values contained in the database.
“This is an intricate, yet frequently successful method to obtain information from a database when exploiting SQL Injection vulnerabilities,” Wordfence stated in its blog post about the LayerSlider vulnerability.
Vulnerable WordPress plugins are a popular entry point for threat actors to extract data or compromise WordPress sites. For example, a cross-site scripting flaw in the Popup Builder plugin, tracked as CVE-2023-6000, was leveraged to spread Balada Injector malware on more than 6,700 WordPress sites in January.
Balada Injector was also deployed on more than 9,000 sites vulnerable to the TagDiv Composer plugin flaw tracked as CVE-2023-3169 last October. Overall, more than a million WordPress sites have been compromised in the Balada Injector campaign over the past six years, according to Sucuri.

Malicious Android apps have been leveraged by Pakistan-linked hacking operation Transparent Tribe to facilitate the deployment of the CapraRAT spyware as part of a new surveillance campaign against gamers and weapons enthusiasts, reports The Hacker News.

Numerous widely used iOS and macOS apps could be compromised in supply chain attacks with a trio of vulnerabilities in the CocoaPods dependency manager, all of which have already been remediated in October, The Hacker News reports.

Both authenticated and unauthenticated users could leverage the vulnerability, which affects FileCatalyst Workflow versions 5.1.6 Build 135 and earlier.
On-Demand Event

On-Demand Event

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.

Copyright © 2024 CyberRisk Alliance, LLC All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions.

source

Leave a Reply

Your email address will not be published. Required fields are marked *