Critical Security Flaw Found in Popular LayerSlider WordPress Plugin

04-04-2024
Share
Critical Security Flaw Found in Popular LayerSlider WordPress Plugin

A critical security flaw impacting the LayerSlider plugin for WordPress could be abused to extract sensitive information from databases, such as password hashes.

The flaw, designated as CVE-2024-2879, carries a CVSS score of 9.8 out of a maximum of 10.0. It has been described as a case of SQL injection impacting versions from 7.9.11 through 7.10.0.

The issue has been addressed in version 7.10.1 released on March 27, 2024, following responsible disclosure on March 25. “This update includes important security fixes,” the maintainers of LayerSlider said in their release notes.

The flaw discovered in the tool stems from a case of insufficient escaping of user supplied parameters and the absence of wpdb::prepare(), enabling unauthenticated attackers to append additional SQL queries and glean sensitive information, Wordfence said.

That having said, the way the query is structured limits the attack surface to a time-based approach where an adversary would need to observe the response time of each request to steal information from the database.

The development follows the discovery of an unauthenticated stored cross-site scripting (XSS) flaw in the WP-Members Membership Plugin (CVE-2024-1852, CVSS score: 7.2) that could facilitate the execution of arbitrary JavaScript code. It has been resolved in version 3.4.9.3.
WordPress Security Flaw

Should the code be executed in the context of an administrator’s browser session, it can be used to create rogue user accounts, redirect site visitors to other malicious sites, and carry out other attacks, it added.

Over the past few weeks, security vulnerabilities have also been disclosed in other WordPress plugins such as Tutor LMS (CVE-2024-1751, CVSS score: 8.8) and Contact Form Entries (CVE-2024-2030, CVSS score: 6.4) that could be exploited for information disclosure and injecting arbitrary web scripts, respectively.

 

Source: https://thehackernews.com/