Researcher Earns $5,500 Bounty for Discovering SQL Injection Vulnerability in LayerSlider WordPress Plugin

By|
Admin
|
2024-04-06
|
Vulnerabilities

A significant security flaw affecting LayerSlider, a popular WordPress plug-in with over a million installations, was recently discovered and disclosed by security researcher AmrAwad (also known as 1337_Wannabe). The vulnerability, identified as CVE-2024-2879, allows attackers to execute SQL injection attacks, potentially compromising sensitive data such as password hashes from associated databases.

The vulnerability, rated 9.8 out of 10 on the CVSS 3.0 severity scale, is specifically linked to the "ls_get_popup_markup" action in versions 7.9.11 and 7.10.0 of LayerSlider. According to Wordfence, the flaw is attributed to "insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query."

Upon discovering the vulnerability, AmrAwad submitted the findings to Wordfence as part of their Bug Bounty Extravaganza on March 25. Wordfence awarded a bounty of $5,500 to AmrAwad for this discovery, marking the company's highest bounty to date. Immediately after the disclosure, Wordfence contacted the Kreatura Team, developers of LayerSlider, who responded promptly by releasing a patch in version 7.10.1 on March 27 to address the vulnerability.

The exploit leverages insecure implementation within the LayerSlider plug-in's slider popup markup query functionality, particularly with the "id" parameter. If the "id" parameter is non-numeric, it is passed to the find() function in the LS_Sliders class without proper sanitization, leading to vulnerable SQL queries being executed without using the prepare() function, which is crucial for preventing SQL injection attacks.

To exploit this flaw, attackers must employ a time-based blind approach, using SQL CASE statements and the SLEEP() command to observe response times and extract information from the database.

Wordfence emphasized the importance of promptly updating LayerSlider to version 7.10.1 or newer to mitigate the risk of exploitation. Given the widespread use of WordPress across the internet—powering approximately 43% of all websites—vulnerable WordPress sites are lucrative targets for attackers seeking to access sensitive data.

Securing the WordPress ecosystem, including plugins like LayerSlider, plays a vital role in enhancing overall web security by reducing the attack surface for malicious actors and safeguarding user data.