A critical security vulnerability affecting the WordPress LayerSlider plugin could be abused to extract sensitive information such as password hashes from the database.
This flaw is designated CVE-2024-2879 and has a CVSS score of 9.8 out of 10.0. It is described as a SQL injection case affecting versions 7.9.11 through 7.10.0.
The issue was resolved in version 7.10.1, released on March 27, 2024, following responsible disclosure on March 25. “This update includes important security fixes,” the maintainers of LayerSlider said in their release notes.
LayerSlider is a visual web content editor, graphic design software, and digital visual effects that allows users to create animations and rich content for their websites. According to its own website, the plugin is used by “millions of users around the world.”
Wordfence said the flaw found in the tool stems from insufficient escaping of user-supplied parameters and the lack of wpdb::prepare(), allowing an unauthenticated attacker to attach additional SQL queries and collect sensitive information.
The development follows the discovery of an unauthenticated stored cross-site scripting (XSS) flaw in the WP-Members membership plugin (CVE-2024-1852, CVSS score: 7.2) that could facilitate the execution of arbitrary JavaScript Program code. Resolved in version 3.4.9.3.
The WordPress security company said that due to insufficient input sanitization and output escaping, the vulnerability “allows an unauthenticated attacker to inject arbitrary web script into the page, which will be deleted whenever the user visits the injected page (i.e., edit the user page). The script will be executed.”
It added that if the code is executed in the context of an administrator’s browser session, it could be used to create malicious user accounts, redirect site visitors to other malicious sites, and conduct other attacks.
Over the past few weeks, security vulnerabilities have been revealed in other WordPress plugins, such as Tutor LMS (CVE-2024-1751, CVSS score: 8.8) and Contact Form Entry (CVE-2024-2030, CVSS score: 6.4) respectively. Used to leak information and inject arbitrary web scripts.
