A severe security vulnerability has been identified in the LayerSlider plugin for WordPress, which could potentially allow malicious actors to extract sensitive data from databases, including password hashes.
The vulnerability, known as CVE-2024-2879, has been assigned a CVSS score of 9.8, indicating its critical nature. The issue is an instance of SQL injection and affects LayerSlider versions from 7.9.11 to 7.10.0.
The vulnerability was rectified in the 7.10.1 version of LayerSlider, released on March 27, 2024, two days after the issue was responsibly disclosed. The update includes crucial security fixes, according to the LayerSlider team.
About LayerSlider
LayerSlider serves as a visual web content editor, graphic design software, and digital visual effects tool, enabling users to create animated and rich content for their websites. The plugin boasts a user base in the millions.
The flaw in the tool arises from inadequate escaping of user-supplied parameters and the lack of wpdb::prepare(). This allows unauthenticated attackers to append extra SQL queries and extract sensitive data.
Following this development, an unauthenticated stored cross-site scripting (XSS) flaw was discovered in the WP-Members Membership Plugin (CVE-2024-1852, CVSS score: 7.2), which could enable the execution of arbitrary JavaScript code. This issue was resolved in version 3.4.9.3.
Impact of the WordPress Security Flaw
The vulnerability, caused by inadequate input sanitization and output escaping, allows unauthenticated attackers to inject arbitrary web scripts into pages. These scripts would execute whenever a user accesses an injected page, such as the edit users page.
If the code is executed within an administrator’s browser session, it could be used to create unauthorized user accounts, redirect site visitors to harmful sites, and perform other attacks.
Additional Security Vulnerabilities
In recent weeks, security vulnerabilities have been revealed in other WordPress plugins, including Tutr LMS (CVE-2024-1751, CVSS score: 8.8) and Contact Form Entries (CVE-2024-2030, CVSS score: 6.4). These vulnerabilities could be exploited for information disclosure and the injection of arbitrary web scripts.
