WordPress LayerSlider plugin bug risks password hash extraction

A critical vulnerability in the WordPress plugin LayerSlider could allow unauthenticated attackers to extract password hashes via SQL injection.

The bug, tracked as CVE-2024-2879, has a CVSS score of 9.8 and affects LayerSlider versions 7.9.11 through 7.10.0. A patch for the flaw was first made available on March 27 with the release of LayerSlider 7.10.1.

LayerSlider is a visual web content, graphic design and digital visual effects plugin with “millions” of users worldwide, according to its website.

The LayerSlider vulnerability was discovered and reported by AmrAwad during Wordfence’s Bug Bounty Extravaganza on March 25, earning the researcher a $5,500 bounty, the highest ever paid out by Wordfence.

The potential for SQL injection lies in LayerSlider’s function to query slider popup markups. If the “id” parameter of the “ls_get_popup_markup” function is not a number, it is not sanitized before it is passed to the “find” function.

Additionally, while the plugin escapes $args values using the “esc_sql” function, the “where” key is excluded from this escaping function and thus attacker-controlled inputs contained within “where” can be included in queries to the victim’s database.

As a result, an attacker could craft a request manipulating “id” and “where” to extract sensitive information, including password hashes, from the database.

However, UNION-based SQL injections are not possible when exploiting this vulnerability due to the structure of the queries, so an attacker would need to take the additional step of including SQL CASE statements and the “SLEEP” command in their requests.

This method, known as time-based blind SQL injection, involves indirectly extracting data by monitoring the response time of the database server based on the specified true/false CASE statements and the SLEEP time.

Repeatedly querying the database with different CASE conditions and observing the response time eventually enables the attacker to determine the values contained in the database.

“This is an intricate, yet frequently successful method to obtain information from a database when exploiting SQL Injection vulnerabilities,” Wordfence stated in its blog post about the LayerSlider vulnerability.

Vulnerable WordPress plugins are a popular entry point for threat actors to extract data or compromise WordPress sites. For example, a cross-site scripting flaw in the Popup Builder plugin, tracked as CVE-2023-6000, was leveraged to spread Balada Injector malware on more than 6,700 WordPress sites in January.

Balada Injector was also deployed on more than 9,000 sites vulnerable to the TagDiv Composer plugin flaw tracked as CVE-2023-3169 last October. Overall, more than a million WordPress sites have been compromised in the Balada Injector campaign over the past six years, according to Sucuri.