WordPress LayerSlider Plugin: SQL Injection Vulnerability

On March 25th, 2024, a critical security vulnerability was discovered in the LayerSlider plugin for WordPress, marked as CVE-2024-2879. The plugins have more than 10 lakh active installations. This flaw, rated with a CVSS score of 7.5 out of 10.0, is identified as an SQL injection vulnerability impacting LayerSlider versions 7.9.11 through 7.10.0. 

Qualys Web Application Scanning released a QID 150868 to address CVE-2024-2879. The detection is part of the OWASP Top 10 Injection category. SQL injections have been getting a lot of visibility recently which we have discussed in our blog on Navigating SQL Injections.

About CVE-2024-2879

Description

The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

SQL Injection Analysis

The `ls_get_popup_markup()` function is utilized to query slider markup for popups. It accepts the ‘id’ parameter value to identify the slider.

303 function ls_get_popup_markup() {
304
305         $id     = is_numeric( $_GET['id'] ) ? (int) $_GET['id'] : $_GET['id'];
306         $popup = LS_Sliders::find( $id );
307
308         if( $popup ) {
309                 $GLOBALS['lsAjaxOverridePopupSettings'] = true;
310                 $parts  = LS_Shortcode::generateSliderMarkup( $popup );
311                 die( $parts['container'].$parts['markup'].'' );
312         }
313
314         die();
315 }

The function checks if the ‘id’ parameter is numeric using `is_numeric()`. If the ‘id’ parameter is not a number, it is passed without sanitization to the `find()` function in the `LS_Sliders` class.

157                         // Where
158                         $where = '';
159                         if(!empty($args['where']) && !empty($args['exclude'])) {
160                                 $where = "WHERE ({$args['exclude']}) AND ({$args['where']}) ";
161
162                         } elseif(!empty($args['where'])) {
163                                 $where = "WHERE {$args['where']} ";
164
165                         } elseif(!empty($args['exclude'])) {
166                                 $where = "WHERE {$args['exclude']} ";
167                         }
168
169                         // Some adjustments
170                         $args['limit'] = ($args['limit'] * $args['page'] - $args['limit']).', '.$args['limit'];
171
172                         // Build the query
173                         global $wpdb;
174                         $table = $wpdb->prefix.LS_DB_TABLE;
175                         $sliders = $wpdb->get_results("
176                                 SELECT SQL_CALC_FOUND_ROWS {$args['columns']}
177                                 FROM $table
178                                 $where
179                                 ORDER BY `{$args['orderby']}` {$args['order']}, name ASC
180                                 LIMIT {$args['limit']}
181
182                         ", ARRAY_A);

The vulnerability arises within the `find()` function of the `LS_Sliders` class because it doesn’t properly validate user-provided input. While all other `$args` values are sanitized with the `esc_sql()` function, the ‘where’ value lacks this protection.

In this code, the `$where` variable is constructed using string concatenation with user-provided input (`$args[‘where’]`). Then it passed to the query.

Let’s consider an example of an attack. Suppose an attacker provides the following values:

id[where]=(SELECT 0 FROM (SELECT SLEEP(5))qualysWAS)

The resulting SQL query would be:

SELECT SQL_CALC_FOUND_ROWS {$args['columns']} FROM $table (SELECT 0 FROM (SELECT SLEEP(5))qualysWAS)
ORDER BY `{$args['orderby']}` {$args['order']}, name ASC LIMIT {$args['limit']}

In this modified query, the payload `(SELECT 0 FROM (SELECT SLEEP(5))qualysWAS)` is injected into the `$args[‘where’]` parameter. This payload instructs the database to sleep for 5 seconds if the condition is true.

Detecting the Vulnerability with Qualys WAS

Customers can detect this vulnerability with Qualys Web Application Scanning using the following QID:

QID 150868: WordPress LayerSlider Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2024-2879)

Solution

Customers are advised to upgrade to LayerSlider 7.10.1, or a later version to remediate this vulnerability. For more information please refer LayerSlider Release logs.

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-2879
• https://www.wordfence.com/blog/2024/04/5500-bounty-awarded-for-unauthenticated-sql-injection-vulnerability-patched-in-layerslider-wordpress-plugin/
• https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/layerslider/layerslider-7911-7100-unauthenticated-sql-injection

Contributors

• Sheela Sarva, Director, Web Application Security, Qualys