TLDR:
- Over 1 million WordPress websites were exposed to a critical SQL Injection vulnerability in the LayerSlider plugin
- The flaw, CVE-2024-2879, allowed attackers to extract sensitive data from websites’ databases
Over a million WordPress websites were at risk due to a critical SQL Injection vulnerability in the LayerSlider plugin, identified as CVE-2024-2879. This flaw could potentially expose sensitive data, such as password hashes, from websites’ databases. The vulnerability, classified with a CVSS score of 9.8, was responsibly reported by researcher AmrAwad through the Wordfence Bug Bounty Program, earning the highest payout of $5,500. The technical breakdown revealed that versions 7.9.11 to 7.10.0 of the LayerSlider plugin were susceptible to SQL Injection. The Kreatura Team responded swiftly by releasing a patch within two days, version 7.10.1, to address the vulnerability. Wordfence assured its users that they are protected against exploits targeting this flaw. This incident highlights the importance of keeping web platforms up-to-date and users are urged to update their sites with the patched version to mitigate the risk.