WordPress LayerSlider Plugin Exposes SQL Injection Risks
The LayerSlider WordPress plugin, versions 7.9.11 to 7.10.0, contains a critical security vulnerability, CVE-2024-2879, which Acunetix has addressed in their latest update.
The vulnerability stems from insufficient parameter sanitization and inadequate SQL query preparation in the action. The function checks if the 'id' parameter is numeric but fails to sanitize it before passing it to the function in the class.
This oversight enables an SQL injection attack, allowing a malicious payload, such as 'sleep(5)', to be injected into the parameter, instructing the database to sleep for 5 seconds if the condition is true.
This vulnerability falls under the OWASP Top 10 Injection category and has a CVSS score of 7.5 out of 10.0, indicating high severity. It affects over 10 lakh active installations of the LayerSlider plugin.
Sheela Sarva, Director of Web Application Security at Qualys, contributed to the discovery of this vulnerability. Qualys Web Application Scanning has released QID 150868 to address CVE-2024-2879.
Users of the LayerSlider plugin are strongly advised to upgrade to version 7.10.1 or later to mitigate this vulnerability. Further details can be found in the LayerSlider Release logs.
For more CVE-2024-2879 details, please refer to the following resources: - Wordfence blog post - CVE-2024-2879 details on Wordfence Threat Intelligence - CVE-2024-2879 details on NVD
Read also:
- Cyber Attack Nets $14 Million from WOO X Across Four Different Blockchains
- Auto industry giants Fescaro and TUV Nord team up for cybersecurity certification in automobiles
- Nigerian Securities and Exchange Commission (SEC) teams up with Chainalysis to combat cryptocurrency fraud activities
- International marketing firm We Are Social intensifies global strategy for gaming industry
