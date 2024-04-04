



A critical vulnerability in the WordPress plugin LayerSlider could allow an unauthenticated attacker to extract password hashes via SQL injection.

This bug is tracked as CVE-2024-2879, has a CVSS score of 9.8, and affects LayerSlider versions 7.9.11 through 7.10.0. A patch for this flaw was first made available with the release of LayerSlider 7.10.1 on March 27th.

According to the company's website, LayerSlider is a visual web content, graphic design, and digital visual effects plugin used by millions of users worldwide.

The LayerSlider vulnerability was discovered and reported by AmrAwad during the Wordfences Bug Bounty Extravaganza on March 25th, and the researcher won a $5,500 bounty, the largest ever paid by Wordfence.

The potential for SQL injection is in the LayerSliders function that queries the slider popup markup. If the id parameter of the ls_get_popup_markup function is not numeric, the parameter is not sanitized before being passed to the find function.

Additionally, the plugin uses the esc_sql function to escape the $args value, but the where key is excluded from this escape function, so any attacker-controlled input contained in where is included in the query to the victim database. there is a possibility.

As a result, an attacker could make requests to manipulate identities and create a location to extract sensitive information, including password hashes, from the database.

However, due to the structure of the query, UNION-based SQL injection is not possible when exploiting this vulnerability, so an attacker must take the additional step of including an SQL CASE statement and a SLEEP command in the request. .

This method, known as time-based blind SQL injection, extracts data indirectly by monitoring the database server response time based on specified true/false CASE statements and SLEEP times.

By repeatedly querying the database with different CASE conditions and observing the response times, an attacker can eventually determine the values ​​contained in the database.

This is a complex but frequently successful method for retrieving information from a database when exploiting SQL injection vulnerabilities, Wordfence said in a blog post about the LayerSlider vulnerability.

Vulnerable WordPress plugins are a common entry point for threat actors to exfiltrate data or compromise WordPress sites. For example, a cross-site scripting flaw in the Popup Builder plugin, tracked as CVE-2023-6000, was exploited to spread Balada Injector malware to over 6,700 WordPress sites in January.

Balada Injector was also deployed to over 9,000 sites vulnerable to a TagDiv Composer plugin flaw tracked as CVE-2023-3169 last October. Overall, more than 1 million WordPress sites have been compromised by Balada Injector campaigns in the past six years, according to Sucuri.

