T recently discovered a critical vulnerability in the popular LayerSlider WordPress plugin that poses a substantial risk to over a million websites.
This vulnerability allows unauthenticated SQL injection, making it crucial for admins to prioritize applying security updates for the plugin.
What is LayerSlider?
LayerSlider is a premium WordPress plugin widely used by businesses, bloggers, and developers to create visually appealing elements for websites. Its features include responsive sliders, image galleries, dynamic content animations, and more. The plugin’s popularity and extensive use make this vulnerability particularly concerning.
Researcher AmrAwad discovered the critical (CVSS score: 9.8) flaw, tracked as CVE-2024-2879, on March 25, 2024, and reported it to WordPress security firm Wordfence via its bug bounty program. For his responsible reporting, AmrAwad received a bounty of $5,500.
The flaw, which impacts versions 7.9.11 through 7.10.0 of the plugin, could allow attackers to extract sensitive data, such as password hashes, from the site’s database, putting them at risk of complete takeover or data breaches.
All users of LayerSlider are recommended to upgrade to version 7.10.1, which addresses the critical vulnerability.
