New certification alert! Certified Junior Detection Engineer has arrived. Find out more.

CVE-2024-2879 – Critical Vulnerability in WordPress Plugin LayerSlider

Daly Whyte 03/04/2024
CVE-2024-2879 – Critical Vulnerability in WordPress Plugin LayerSlider

Earlier today the critical vulnerability CVE-2024-2879 was announced for the widely used WordPress plugin LayerSlider, affecting versions 7.9.11 - 7.10.0. This vulnerability is an unauthenticated SQL injection with a CVSSv3 score of 9.8 with the likelihood of high impact to data confidentiality and integrity. This post will advise how to determine if you have a vulnerable environment, why this is vulnerable, and how it’s exploited.

How do I know if I am vulnerable to CVE-2024-2879?

From the WordPress Plugins screen, it shows the plugin and its version as shown below:

If the version shows 7.9.11 or 7.10.0, this would be vulnerable to the CVE.

Why is LayerSlider Vulnerable to SQL Injection?

Due to a lack of sanitization in the function ls_get_popup_markup when the value of id is a string, it allows for an attacker to send malicious payloads without any filtering, as shown below in assets/wp/actions.php:

An image representing why LayerSlider is venerable to SQL injection

When the argument where is passed with id parameter, it means that the earlier value does not go through any escaping. Whatever was passed from id will be used in its current form, as shown below in assets/classes/class.ls.sliders.php

An image representing why LayerSlider is venerable to SQL injection

The result is that a specially crafted request to /wp-admin/admin-ajax.php can result in time-based SQL Injection on the id parameter when it has the where argument, and the action parameter is ls_get_popup_markup.

How Easily Can This Be Exploited?

This can be exploited simply using common tools like sqlmap, as shown below:

sqlmap "http://<ip>/wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)" --level=3 --risk=2

Showing how easily it can be exploited simply using common tools like sqlmap

In the above, I have retrieved the hostname, current database, and current database user. It’s important to note that it’s just as easy to extract data from the tables.

Detecting Attacks

Attacks will be focused on the /wp-admin/admin-ajax.php endpoint and will contain the parameter action with the value ls_get_popup_markup, and the id parameter will have the argument where, like so: id[where].  It's also possible it will show the user-agent of sqlmap if this was the tool used by an attacker, but this should not be relied upon as it is possible to randomize these.

Below is an excerpt from an Apache access.log during the attack:

An image of an excerpt from an Apache access.log during the attack

As shown above, requests will likely contain the keywords sleep or benchmark in the id parameter value, but there could be other variations depending on the DBMS that is running.

Mitigations and Fixes

This vulnerability is solved in version 7.10.1 of LayerSlider and this is the recommended solution. If an upgrade is not possible it may be possible to mitigate some of the risk with a WAF that is configured to block SQL Injection attempts, though this should not be relied upon.

About Security Blue Team

Security Blue Team is a leading online defensive cybersecurity training provider with over 100,000 students worldwide, and training security teams across governments, military units, law enforcement agencies, managed security providers, and many more industries.

Disclaimer

This content is for educational purposes only and we do not endorse illegal activities. Only explore vulnerabilities with proper authorization. The author and Security Blue Team disclaims any liability for misuse. 

 

About Daly Whyte

Daly Whyte

With two decades’ hands-on experience in a variety of senior technical roles, Daly decided to make the career switch to cybersecurity in 2019 having honed his skills through CTF events, cyber challenges, and ethically hacking organizations through vulnerability disclosure programs. Disclaimer: Daly is old so probably won't get your memes.