Attackers can exploit a essential SQL injection vulnerability present in a broadly used WordPress plug-in to compromise greater than 1 million websites and extract delicate knowledge resembling password hashes from related databases.
A safety researcher known as AmrAwad (aka 1337_Wannabe) found the bug within the LayerSlider, a plug-in for creating animated Net content material. The safety flaw, tracked as CVE-2024-2879, has a ranking of 9.8 out of 10 on the CVSS 3.0 vulnerability-severity scale, and is related to the “ls_get_popup_markup” motion in variations 7.9.11 and seven.10.0 of LayerSlider. The vulnerability is because of “inadequate escaping on the person provided parameter and lack of enough preparation on the prevailing SQL question,” based on Wordfence.
“This makes it potential for unauthenticated attackers to append further SQL queries into already current queries that can be utilized to extract delicate info from the database,” the corporate mentioned.
Wordfence awarded the researcher a bounty of $5,500 — the corporate’s highest bounty to this point — for the invention, based on a weblog publish by Wordfence. AmrAwad’s March 25 submission got here as a part of Wordfence’s second Bug Bounty Extravaganza, and the corporate contacted the Kreatura Group, builders of the plug-in, the identical day to inform them of the flaw. The staff responded the following day and delivered a patch in model 7.10.1 of LayerSlider on March 27.
Exploiting the LayerSlider SQL Injection Flaw
The potential for exploitation of the vulnerability lies within the insecure implementation of the LayerSlider plug-in’s slider popup markup question performance, which has an “id” parameter, based on Wordfence.
In accordance with the agency, “if the ‘id’ parameter just isn’t a quantity, it’s handed with out sanitization to the discover() operate within the LS_Sliders class,” which “queries the sliders in a approach that constructs an announcement with out the put together() operate.”
Since that operate would “parameterize and escape the SQL question for secure execution in WordPress, thereby offering safety in opposition to SQL injection assaults,” its absence creates a susceptible situation, based on Wordfence.
Nevertheless, to use the flaw requires a “a time-based blind method” on the a part of attackers to extract database info, which is “an intricate, but ceaselessly profitable methodology to acquire info from a database when exploiting SQL Injection vulnerabilities,” based on Wordfence.
“Which means they would want to make use of SQL CASE statements together with the SLEEP() command whereas observing the response time of every request to steal info from the database,” the corporate defined.
Safe WordPress, Safe the Net
Susceptible WordPress websites are a well-liked goal for attackers given the content material administration system’s widespread use throughout the Web, and infrequently vulnerabilities exist in plug-ins that unbiased builders create for including performance to websites utilizing the platform.
Certainly, no less than 43% of internet sites on the complete Web use WordPress to energy their websites, e-commerce purposes, and communities. Additional, the wealth of delicate knowledge resembling person passwords and fee information typically saved inside their pages represents a major alternative for menace actors who search to misuse it.
Making “the WordPress ecosystem safer … finally makes the complete internet safer,” WordPress famous.
Wordfence suggested that WordPress customers with LayerSlider put in on websites confirm instantly that they’re up to date to the most recent, patched model of the plug-in to make sure it is not susceptible to use.
