cbcvebase.
CVE-2024-2879
published 2024-04-03

CVE-2024-2879: The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action in versions 7.9.11 and 7.10.0 due to insufficient…

PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
18.40%
96.9th percentile
The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Affected

3 ranges
VendorProductVersion rangeFixed in
kreaturamedialayerslider
kreaturamedialayerslider
layersliderlayerslider7.9.11 – 7.10.0

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))x)--+x)
commandid[where]=(SELECT 0 FROM (SELECT SLEEP(5))qualysWAS)
path/wp-content/plugins/LayerSlider/
  • Detect exploitation attempts by monitoring GET requests to /wp-admin/admin-ajax.php with action=ls_get_popup_markup and an array-style 'id[where]' parameter containing SQL payloads (e.g., SLEEP, SELECT subqueries). The attack is time-based blind SQLi — flag responses with anomalous delays (>=6s).
  • The vulnerability is triggered when the 'id' parameter is non-numeric and passed as an array (e.g., id[where]=...), bypassing the is_numeric() check and injecting unsanitized input into the SQL WHERE clause.
  • Fingerprint vulnerable LayerSlider installations by checking for the presence of the string '.ls-clearfix:before' in /wp-content/plugins/LayerSlider/assets/static/public/front.css before probing for SQLi.
  • The attack is limited to time-based blind SQL injection — detection should focus on response time anomalies correlated with SLEEP() payloads in the id[where] parameter of ls_get_popup_markup AJAX requests.
  • No authentication is required to exploit this vulnerability — any unauthenticated HTTP GET request to the admin-ajax endpoint with the malicious action and id parameter is sufficient.
  • ·Affected versions are strictly 7.9.11 and 7.10.0 only; version 7.10.1 is patched. Ensure version detection is scoped to these two specific versions to avoid false positives.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.