Critical Security Flaw Found in Popular LayerSlider WordPress Plugin

Share:

A critical security flaw impacting the LayerSlider plugin for WordPress could be abused to extract sensitive information from databases, such as password hashes.

The flaw, designated as CVE-2024-2879, carries a CVSS score of 9.8 out of a maximum of 10.0. It has been described as a case of SQL injection impacting versions from 7.9.11 through 7.10.0.

The issue has been addressed in version 7.10.1 released on March 27, 2024, following responsible disclosure on March 25. “This update includes important security fixes,” the maintainers of LayerSlider said in their release notes.

LayerSlider is a visual web content editor, a graphic design software, and a digital visual effects that allows users to create animations and rich content for their websites. According to its own site, the plugin is used by “millions of users worldwide.”

The flaw discovered in the tool stems from a case of insufficient escaping of user supplied parameters and the absence of wpdb::prepare(), enabling unauthenticated attackers to append additional SQL queries and glean sensitive information, Wordfence said.

That having said, the way the query is structured limits the attack surface to a time-based approach where an adversary would need to observe the response time of each request to steal information from the database.

The development follows the discovery of an unauthenticated stored cross-site scripting (XSS) flaw in the WP-Members Membership Plugin (CVE-2024-1852, CVSS score: 7.2) that could facilitate the execution of arbitrary JavaScript code. It has been resolved in version 3.4.9.3.

WordPress Security Flaw

The vulnerability, due to insufficient input sanitization and output escaping, “makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page which is the edit users page,” the WordPress security company said.

Should the code be executed in the context of an administrator’s browser session, it can be used to create rogue user accounts, redirect site visitors to other malicious sites, and carry out other attacks, it added.

Over the past few weeks, security vulnerabilities have also been disclosed in other WordPress plugins such as Tutor LMS (CVE-2024-1751, CVSS score: 8.8) and Contact Form Entries (CVE-2024-2030, CVSS score: 6.4) that could be exploited for information disclosure and injecting arbitrary web scripts, respectively.

Ravie Lakshmanan

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
12:10 am, Feb 12, 2025
weather icon 4°C
L: 3° | H: 5°
overcast clouds
Humidity: 91 %
Pressure: 1019 mb
Wind: 5 mph NNW
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 100%
Rain Chance: 0%
Visibility: 6 km
Sunrise: 7:20 am
Sunset: 5:09 pm
DailyHourly
Daily ForecastHourly Forecast
Today 9:00 pm
weather icon
3° | 5°°C 0 mm 0% 5 mph 89 % 1021 mb 0 mm/h
Tomorrow 9:00 pm
weather icon
3° | 6°°C 0 mm 0% 9 mph 87 % 1025 mb 0 mm/h
Fri Feb 14 9:00 pm
weather icon
1° | 6°°C 0 mm 0% 8 mph 81 % 1026 mb 0 mm/h
Sat Feb 15 9:00 pm
weather icon
1° | 6°°C 0 mm 0% 8 mph 85 % 1024 mb 0 mm/h
Sun Feb 16 9:00 pm
weather icon
4° | 8°°C 1 mm 100% 6 mph 95 % 1019 mb 0 mm/h
Today 3:00 am
weather icon
4° | 4°°C 0 mm 0% 3 mph 89 % 1019 mb 0 mm/h
Today 6:00 am
weather icon
4° | 4°°C 0 mm 0% 3 mph 79 % 1018 mb 0 mm/h
Today 9:00 am
weather icon
4° | 4°°C 0 mm 0% 3 mph 76 % 1019 mb 0 mm/h
Today 12:00 pm
weather icon
5° | 5°°C 0 mm 0% 3 mph 68 % 1019 mb 0 mm/h
Today 3:00 pm
weather icon
6° | 6°°C 0 mm 0% 3 mph 71 % 1019 mb 0 mm/h
Today 6:00 pm
weather icon
5° | 5°°C 0 mm 0% 5 mph 76 % 1020 mb 0 mm/h
Today 9:00 pm
weather icon
5° | 5°°C 0 mm 0% 5 mph 78 % 1021 mb 0 mm/h
Tomorrow 12:00 am
weather icon
3° | 3°°C 0 mm 0% 4 mph 87 % 1022 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€92,403.96
-1.79%
Ethereum(ETH)
€2,512.14
-2.22%
Tether(USDT)
€0.96
-0.03%
XRP(XRP)
€2.33
-0.38%
Solana(SOL)
€191.11
-1.13%
USDC(USDC)
€0.97
0.00%
Dogecoin(DOGE)
€0.244301
-0.81%
Shiba Inu(SHIB)
€0.000015
-0.71%
Pepe(PEPE)
€0.000010
-0.11%
Scroll to Top