April 3, 2024 at 02:03AM
A critical security flaw (CVE-2024-2879) in LayerSlider plugin for WordPress, with a CVSS score of 9.8, could lead to information extraction from databases. The vulnerability, fixed in version 7.10.1, arose from SQL injection and could allow unauthenticated attackers to manipulate SQL queries. Other WordPress plugins have also disclosed security vulnerabilities recently.
In the meeting notes from April 3, 2024, it was discussed that a critical security flaw, designated as CVE-2024-2879, was discovered in the LayerSlider plugin for WordPress. This flaw, with a CVSS score of 9.8, allows unauthenticated attackers to extract sensitive information from databases through a case of SQL injection affecting versions from 7.9.11 through 7.10.0. A fix for this issue has been released in version 7.10.1, addressing the insufficient escaping of user supplied parameters and the absence of wpdb::prepare().
Furthermore, an unauthenticated stored cross-site scripting (XSS) flaw (CVE-2024-1852, CVSS score: 7.2) was found in the WP-Members Membership Plugin, but has since been resolved in version 3.4.9.3. This vulnerability could enable the execution of arbitrary JavaScript code, allowing attackers to inject arbitrary web scripts in pages and potentially create rogue user accounts, redirect site visitors, and carry out other attacks if executed in the context of an administrator’s browser session.
Additionally, security vulnerabilities have been disclosed in other WordPress plugins such as Tutor LMS (CVE-2024-1751, CVSS score: 8.8) and Contact Form Entries (CVE-2024-2030, CVSS score: 6.4) over the past few weeks. These vulnerabilities could be exploited for information disclosure and inject arbitrary web scripts, respectively.
As a result, it is crucial for all users of these affected plugins to update to the latest versions to ensure their website’s security.