Login Sign Up

CVE-2024-2879

9.8 CRITICAL
SQL Injection

📋 TL;DR

The LayerSlider WordPress plugin contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries. This can lead to sensitive database information disclosure, including user credentials and site data. All WordPress sites using vulnerable versions of LayerSlider are affected.

💻 Affected Systems

Products:
  • LayerSlider WordPress Plugin
Versions: 7.9.11 and 7.10.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all WordPress installations with vulnerable LayerSlider versions installed and activated.

📦 What is this software?

Layerslider by Kreaturamedia

View all CVEs affecting Layerslider →

Layerslider by Kreaturamedia

View all CVEs affecting Layerslider →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including admin credential theft, data exfiltration, and potential site takeover via privilege escalation.

🟠

Likely Case

Unauthenticated attackers extract sensitive data like user emails, hashed passwords, and site configuration information.

🟢

If Mitigated

Attack attempts are logged but blocked by proper input validation and query parameterization.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection via ls_get_popup_markup action requires no authentication and has public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.10.1

Vendor Advisory: https://layerslider.com/release-log/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find LayerSlider and click 'Update Now'. 4. Verify version is 7.10.1 or later.

🔧 Temporary Workarounds

Disable LayerSlider Plugin

all

Temporarily disable the vulnerable plugin until patching is possible.

wp plugin deactivate LayerSlider

Web Application Firewall Rule

all

Block requests to the vulnerable endpoint using WAF rules.

Block POST requests containing 'action=ls_get_popup_markup'

🧯 If You Can't Patch

  • Implement strict input validation and parameterized queries at application level
  • Deploy web application firewall with SQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → LayerSlider version. If version is 7.9.11 or 7.10.0, system is vulnerable.

Check Version:

wp plugin list --name=LayerSlider --field=version

Verify Fix Applied:

Confirm LayerSlider version is 7.10.1 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • POST requests to /wp-admin/admin-ajax.php with action=ls_get_popup_markup containing SQL keywords
  • Unusual database query patterns from WordPress application

Network Indicators:

  • HTTP requests with SQL injection payloads in POST parameters
  • Multiple rapid requests to admin-ajax.php endpoint

SIEM Query:

source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND post_data="*action=ls_get_popup_markup*" AND (post_data="*UNION*" OR post_data="*SELECT*" OR post_data="*FROM*" OR post_data="*WHERE*")

📊 Metadata

CVE ID: CVE-2024-2879
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: April 3, 2024
Last Updated: March 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-2879, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)