The LayerSlider WordPress slider plugin has been installed by more than one million people and offers a full package of features for editing web content, creating digital visual effects, and designing graphic content in a single application.
Considering that WordPress is the most popular website builder in the world, as well as used by roughly half of all websites on the planet, it makes it an ideal target for cybercriminals all over the world. Despite that, hackers have turned their attention and focus to third-party themes and plugins, which are seldom as secure as the platform itself, because most people consider this platform to be relatively secure.
In addition, Defiant’s Wordfence team stated that unauthenticated attackers can append SQL queries to existing queries to extract information such as password hashes due to the lack of sufficient escape of the parameter supplied by the user, as well as the lack of sufficient preparation of the existing SQL query.
There is a vulnerability of over 1 million WordPress sites attributed to a premium plugin referred to as LayerSlider, requiring administrators to prioritize applying security updates to that plugin. In addition to being a visual web content editor, LayerSlider also offers graphic design software, as well as digital visual effects that enable users to create animations and rich content for their websites. It is noted by its website that there are millions of people using it globally.
During the week of March 25, 2024, a researcher named AmrAwad found a critical vulnerability (CVSS score: 9.8) affecting WordPress security firm Wordfence through their bug bounty program. He received $5,500 for his responsible reporting. AmrAwad was recognized for his responsible reporting.
If an attacker has access to sensitive data from the site's database, such as password hashes, from versions 7.9.11 through 7.10.0 of the plugin, the website could be put at risk of a complete takeover or data breach in the future.
In LayerSlider, SQL injection is possible as well as the function that queries slider pop-up markups is done by the “ls_get_popup_markup” function.
If the “id” parameter of this function is not a number, it is not sanitized before it is passed to “find”. Moreover, even though the plugin escapes $args values with the “esc_sql” function, the “where” key is not included in this function, so attacker-controlled inputs within “where” can be used to query the victim's database by the attacker-controlled inputs.
By manipulating “id” and “where”, an attacker can craft a request in such a way that sensitive data from the database, such as password hashes, can be extracted by manipulating those variables. As the structure of possible queries limits the attack to a time-based blind SQL injection, attackers must observe the database's response times to determine the data from the database. There are several ways in which threat actors can enter WordPress sites through vulnerable WordPress plugins to steal data or compromise a website.
It has been shown that, in January, more than 6,700 WordPress sites were exploited by Balada Injector malware triggered by a cross-site scripting flaw in the Popup Builder plugin logged under CVE-2023-6000. In addition to the thousands of sites that were exposed to the TagDiv Composer plugin flaw tracked as CVE-2023-3169 in October, Balada Injector was installed on over 9,000 sites. In the past six years, over a million WordPress sites have been compromised by the Balada Injector campaign.
According to Sucuri, the Balada Injector has been responsible for more than a million WordPress sites that have been compromised in this campaign.
It is important to note that CVE-2024-2879 still allows malicious actors to access sensitive user information and password hashes from a compromised website's database, despite this limitation. Malicious actors can do this without having any authentication on the website.
There is a further complication because the queries are not prepared using WordPress' '$wpdb->prepare()' function, which ensures that usernames and passwords are sanitized before a query is sent to the database. This prevents SQL injection because the input is therefore sanitized before it is submitted to the database. It was quickly acknowledged by the Kreatura Team of the plugin's creators that the plugin had been prone to the flaw and it was immediately addressed.
It has been less than 48 hours since the developers contacted me about the release of a security update. There are critical vulnerabilities in LayerSlider, which are addressed in version 7.10.1, but it is strongly recommended that all users upgrade to version 7.10.1. A WordPress site admin should in general make sure that all their plugins are up-to-date, remove any plugins that are not required, use strong passwords for their accounts, and deactivate any dormant accounts that could be hacked.
In the world of WordPress, there are thousands of themes and plugins available, each of which builds upon the WordPress experience for the user and makes it better. Some of these are free programs, but the commercial ones tend to have a dedicated team who work on improving them as well as maintaining the security of the program. This happens mainly because hackers choose to target free-to-use themes and plugins.
Many of these are used by millions of people today, but their developers have abandoned them and they are prone to vulnerabilities that have never been addressed (or rarely) by the developers. A safe and secure installation process involves administrators installing themes and plugins that they intend to use, and ensuring that they are always updated to the most recent version of those themes and plugins.