Wordfence, recently disclosed and helped patch a critical vulnerability in the popular LayerSlider WordPress plugin. This vulnerability, an unauthenticated SQL injection flaw, could potentially allow attackers to extract sensitive data, such as password hashes, from the website’s database.
The vulnerability CVE-2024-2879 was identified during Wordfence’s second Bug Bounty Extravaganza by security researcher AmrAwad, who reported the issue through the Wordfence Bug Bounty Program. AmrAwad’s work earned them a substantial bounty of $5,500.00, the highest bounty awarded by Wordfence to date.
SQL injection vulnerabilities are critical security flaws that can enable attackers to manipulate database queries and potentially gain unauthorized access to sensitive information. In this case, the LayerSlider plugin failed to properly sanitize user-supplied input, allowing malicious SQL code to be injected into the database queries.
How to Protect Your WordPress Site?
The good news is that a patch has already been released to address this vulnerability. Here’s what you need to do to protect your site:
Update LayerSlider: The patched version is LayerSlider 7.10.1. Update your plugin immediately by going to your WordPress dashboard, navigating to Plugins, clicking on Installed Plugins, and then selecting Update next to LayerSlider.
Consider a WordPress Security Plugin: It’s also a good idea to have a comprehensive WordPress security plugin in place. This can help to identify and prevent future vulnerabilities.
