Overview:

The National Security Operations Centre (NSOC) is alerting the public to a cybersecurity advisory regarding a critical vulnerability found the LayerSlider plugin for WordPress.

The vulnerability tracked as CVE-2024-2879 (CVSS score: 9.8), is of medium severity and according to the advisory released by Wordfence, “The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.”

Affected Version(s):

LayerSlider plugin for WordPress 7.9.11 - 7.10.0

Recommendations:

The NSOC is advising users, administrators, and organizations in both the public and private sectors to update to the latest secure version available for LayerSlider plugin, to date, that is LayerSlider version 7.10.1 (https://layerslider.com/release-log/).  In accordance with best practices, patching as soon as feasible is advised if at all possible.

Resources:

https://www.wordfence.com/blog/2024/04/5500-bounty-awarded-for-unauthen…