WordPress LayerSlider Plugin: SQL Injection Vulnerability
On March 25th, 2024, a critical security vulnerability was discovered in the LayerSlider plugin for WordPress, marked as CVE-2024-2879. The plugins have more than 10 lakh active installations. This flaw, rated with a CVSS score of 7.5 out of 10.0, is identified as an SQL injection vulnerability impacting LayerSlider versions 7.9.11 through 7.10.0.
Qualys Web Application Scanning released a QID 150868 to address CVE-2024-2879. The detection is part of the OWASP Top 10 Injection category. SQL injections have been getting a lot of visibility recently which we have discussed in our blog on Navigating SQL Injections.
About CVE-2024-2879
| QID | 150868 |
| Severity | 5 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CVSS 3.1 Score | 7.5 |
| Affected Versions | 7.9.11 – 7.10.0 |
Description
The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
SQL Injection Analysis
The `ls_get_popup_markup()` function is utilized to query slider markup for popups. It accepts the ‘id’ parameter value to identify the slider.
The function checks if the ‘id’ parameter is numeric using `is_numeric()`. If the ‘id’ parameter is not a number, it is passed without sanitization to the `find()` function in the `LS_Sliders` class.
The vulnerability arises within the `find()` function of the `LS_Sliders` class because it doesn’t properly validate user-provided input. While all other `$args` values are sanitized with the `esc_sql()` function, the ‘where’ value lacks this protection.
In this code, the `$where` variable is constructed using string concatenation with user-provided input (`$args[‘where’]`). Then it passed to the query.
Let’s consider an example of an attack. Suppose an attacker provides the following values:
The resulting SQL query would be:
In this modified query, the payload `(SELECT 0 FROM (SELECT SLEEP(5))qualysWAS)` is injected into the `$args[‘where’]` parameter. This payload instructs the database to sleep for 5 seconds if the condition is true.
Detecting the Vulnerability with Qualys WAS
Customers can detect this vulnerability with Qualys Web Application Scanning using the following QID:
QID 150868: WordPress LayerSlider Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2024-2879)
Solution
Customers are advised to upgrade to LayerSlider 7.10.1, or a later version to remediate this vulnerability. For more information please refer LayerSlider Release logs.