Another major WordPress plugin was found vulnerable to a very serious flaw that allowed malicious actors to steal sensitive information from the website, including password hashes.
LayerSlider has published a new security advisory, stating that the product is now at version 7.10.1, but adding: “This update contains important security fixes.”
While the announcement does not provide details about the vulnerability fixed, The hacker news reported that the project fixed a SQL injection vulnerability affecting versions 7.9.11 through 7.10.0. This vulnerability is now tracked as CVE-2024-2879 and has a severity score of 9.8 (critical).
Focused on WordPress
On its website, LayerSlider describes itself as a “visual web content editor, graphic design software, and digital visual effects application all in one.” It also claims that it is used by “millions” of people around the world. LayerSlider is a commercial WordPress plugin, with annual license packages ranging from $26 to $159.
Being the world’s most popular website builder and used by around half of all existing websites, WordPress is a prime target for cybercriminals around the world. However, because the platform is generally considered secure, hackers have turned their attention to third-party themes and plugins, as these are rarely as secure as the platform itself.
There are thousands of themes and plugins for WordPress, all of which build on and improve the WordPress experience. Some are free to use, but commercial ones usually have a dedicated team working on improvements and security. As a result, hackers will usually opt for free-to-use themes and plugins. Many have millions of users, but have been abandoned by their developers and contain vulnerabilities that are never (or rarely) addressed.
To stay safe, administrators should only install themes and plugins they want to use, and ensure they are always updated to the latest version.