LayerSlider WordPress CVE-2024-2879

Introduction

On March 25, 2024, as part of the Bug Bounty Extravaganza program, a researcher under the nickname 1337_wannabe discovered a SQL injection vulnerability in one of the popular WordPress plugins – LayerSlider.

The vulnerability has received an identifier CVE-2024-2879 and a CVSS score of 9.8 (critical).

This flaw, although mostly a time-based blind SQL injection, still allows an attacker to easily obtain sensitive information from the database.

It is worth highlighting that the plugin LayerSlider Quite popular among WordPress users and has over 1 million installations. From which we can conclude that at the moment there are a huge number of vulnerable sites on the network that have not yet been updated to the latest version, since automatic updates are not supported by this plugin.

Test stand

To test this vulnerability, we raised WordPress version 6.5 and installed a vulnerable plugin there LayerSlider version 7.9.11.

To test the functionality of the plugin, we created a simple Popup from existing templates and placed it on a test page.

Analysis of the vulnerability

In the plugin source code we are interested in the function ls_get_popup_markup()located in the file assets/wp/actions.php.

It is an HTTP GET request handler /wp-admin/admin-ajax.php?action=ls_get_popup_markup.

From the source code it is clear that the plugin uses this function to receive a popup by id, where the identifier can be specified using the GET parameter. And if id is not a number, then it goes directly into the function find() class LS_Sliders.

In the function itself find(), the argument passes several checks. The first of these is type checking. After reading the conditional branch construction, it becomes clear that several variants of the argument are supported, but we are only interested in the last one when the argument is map.

Starting from line 80 of code, we can observe how a query to the database is formed. A notable place here is the loop from lines 102 to 107. It was written for the purpose of so-called escape of special SQL characters from user input. As a result of this procedure, all SQL syntax characters are simply removed. But if you pay attention to the condition inside this loop, it becomes clear that this does not happen with the element under the key 'where'. Most likely, this was done to support some custom filters in the SQL language, since in the code below we see how additional query conditions are formed from this element.

At the end, all parts of the arguments are collected into one request and it is sent to the database.

As a result, it turns out that any special characters and words of the SQL language left by the user in the GET request parameter under the key 'where'without changes will go directly into the database query, which means that this functionality contains a vulnerability called SQL injection.

It remains to be noted that due to the specifics of how this request is formed and what response reaches the user, it will not be possible to implement UNION-based injection and obtain data directly. But this does not exclude the possibility of using the time-based method of blind SQL injection.

Practical operation

Based on the information obtained from the analysis above, you can compose a similar HTTP request, where in the URI, in the parameter idour payload will be located.

http://192.168.3.10:32768/wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)

Pay attention to how the parameter is set id. This way PHP will understand that this is an array data type, or more precisely map.

To exploit blind SQL injection of the time-based type, we will use the automated SQLmap tool.

As arguments we will indicate the generated URI, as well as parameters --level=3 And --risk=2so that SQLmap checks a larger number of payloads.

For demonstration, we received data such as the current user name and host name, for this we should specify the parameters --current-user And --hostname.

The final command was as follows:

sqlmap "http://192.168.3.10:32768/wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)" --level=3 --risk=2 --current-user --hostname

From the result of the tool, in addition to the data, you can see that it identified the type of SQL injection as time-based blind and used SLEEP in your payloads.

Protection measures

Fortunately, this vulnerability has already been fixed in version 7.10.1 LayerSlider, and all users of this plugin are strongly recommended to update to the latest version. If updating is not possible, then there is a chance that it may be possible to mitigate some of the risk by using a WAF, which should be configured to block SQL injection attempts, although this should not be relied upon.

Conclusion

In this article, we examined in detail the vulnerability in the LayerSlider plugin for WordPress, which allows you to perform arbitrary queries to the database and, as a result, obtain any sensitive information from it.

Subscribe to our Telegram channel

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *