An investigator was awarded a $5,500 reward for uncovering a security weakness (CVE-2024-2879) in LayerSlider, a WordPress extension active on over one million websites.
Perpetrators can take advantage of a crucial SQL injection security gap located in a popular WordPress extension to hijack over a million sites and snatch confidential information such as user’s password hashes from linked databases.
A cybersecurity expert identified by the handle AmrAwad (also known as 1337_Wannabe) detected the glitch in the LayerSlider, a tool for crafting animated internet content. Rated at a significant 9.8 out of 10 severity on the CVSS 3.0 scale, the defect, specified as CVE-2024-2879, is linked to the “ls_get_popup_markup” function in LayerSlider’s versions 7.9.11 and 7.10.0. The flaw stems from “inadequate escaping on user-provided parameters and the absence of proper preparation in the current SQL command,” as stated by Wordfence.
“This allows unverified attackers to inject additional SQL commands into preexistent queries, which can be utilized to extract protected data from the database,” the organization noted.
Wordfence recognized the researcher’s efforts with their most substantial bounty of $5,500 for uncovering the flaw, as revealed in a blog post. The submission by AmrAwad, which was part of the Wordfence’s second Bug Bounty Extravaganza on March 25, was quickly acted upon by the company as it alerted the Kreatura Team, the plug-in’s developers, of the compromise on the same day. A responsive Kreatura Team addressed the issue the following day and issued a fix with the release of version 7.10.1 of LayerSlider on March 27.
The prospect of exploiting this vulnerability exists due to the insecure execution within LayerSlider’s slider popup markup retrieval functionality, which includes an “id” parameter, as detailed by Wordfence.
As reported by the company, “if the ‘id’ parameter is not numeric, it goes through without cleansing into the find() routine present in the LS_Sliders class,” which “initiates a slider query that constructs a statement devoid of the prepare() method.”
The absence of this function, which would “parameterize and sanitize the SQL command for secure execution in WordPress, thus providing a shield against SQL injection assaults,” leads to a susceptibility, as per Wordfence.
Nevertheless, attackers need to employ “a time-based blind strategy” to extract details from the database, which is “a complex yet often efficacious tactic to secure data from a database when exploiting SQL Injection weaknesses,” according to Wordfence.
“Basically, this implies they would have to apply SQL CASE conditions in conjunction with the SLEEP() command, all the while gauging the response time for each query to surreptitiously gather data from the database,” the entity expounded.
Salesforce Pipeline Review is transforming the approach sales leaders Read more
Last Monday, Microsoft Corporation is unveiling a collection of fresh Read more