How do I know if I am vulnerable to CVE-2024-2879?
From the WordPress Plugins screen, it shows the plugin and its version as shown below:
If the version shows 7.9.11 or 7.10.0, this would be vulnerable to the CVE.
Why is LayerSlider Vulnerable to SQL Injection?
Due to a lack of sanitization in the function ls_get_popup_markup when the value of id is a string, it allows for an attacker to send malicious payloads without any filtering, as shown below in assets/wp/actions.php:
When the argument where is passed with id parameter, it means that the earlier value does not go through any escaping. Whatever was passed from id will be used in its current form, as shown below in assets/classes/class.ls.sliders.php
The result is that a specially crafted request to /wp-admin/admin-ajax.php can result in time-based SQL Injection on the id parameter when it has the where argument, and the action parameter is ls_get_popup_markup.
How Easily Can This Be Exploited?
This can be exploited simply using common tools like sqlmap, as shown below:
sqlmap "http://<ip>/wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)" --level=3 --risk=2
In the above, I have retrieved the hostname, current database, and current database user. It’s important to note that it’s just as easy to extract data from the tables.
Detecting Attacks
Attacks will be focused on the /wp-admin/admin-ajax.php endpoint and will contain the parameter action with the value ls_get_popup_markup, and the id parameter will have the argument where, like so: id[where]. It's also possible it will show the user-agent of sqlmap if this was the tool used by an attacker, but this should not be relied upon as it is possible to randomize these.
Below is an excerpt from an Apache access.log during the attack:
As shown above, requests will likely contain the keywords sleep or benchmark in the id parameter value, but there could be other variations depending on the DBMS that is running.
Mitigations and Fixes
This vulnerability is solved in version 7.10.1 of LayerSlider and this is the recommended solution. If an upgrade is not possible it may be possible to mitigate some of the risk with a WAF that is configured to block SQL Injection attempts, though this should not be relied upon.
About Security Blue Team
Security Blue Team is a leading online defensive cybersecurity training provider with over 100,000 students worldwide, and training security teams across governments, military units, law enforcement agencies, managed security providers, and many more industries.
Disclaimer
This content is for educational purposes only and we do not endorse illegal activities. Only explore vulnerabilities with proper authorization. The author and Security Blue Team disclaims any liability for misuse.
