What is CVE-2024-2879?

An unauthenticated SQL injection in the LayerSlider plugin (versions 7.9.11 through 7.10.0). The vulnerable parameter flowed through an AJAX endpoint without proper sanitisation. Disclosed March 2024. Patched in 7.10.1.

Why was LayerSlider a big deal?

LayerSlider ships bundled with a large number of premium WordPress themes. Many site owners don't realise they have it installed at all because they bought it as part of a theme package and never touched it. That meant a long tail of un-updated installs after the patch landed.

What could an attacker do with SQLi here?

Extract administrator password hashes, session keys, and any other database content. With a password hash they could attempt offline cracking; with the secret keys from wp_options they could forge sessions. After that, the standard WordPress RCE pattern follows.

I don't even use LayerSlider — why is it on my site?

It's commonly bundled into multi-purpose themes (Avada, Salient, Bridge, and many others) as a 'free' add-on. Themes ship a copy that has to be updated separately from the WordPress.org repo, and that update lag is exactly what gets exploited.

CVE-2024-2879 · Unauth SQLi · bundled with themes

LayerSlider SQL injection cleanup.

Unauthenticated SQL injection in LayerSlider let attackers pull admin password hashes and session secrets. Heaviest impact: sites running themes that bundle LayerSlider and never updated it. Flat $279 to clean up.

Start a cleanup About the bug

What the bug was

User input → SQL, no authentication.

An AJAX action in LayerSlider accepted user-controlled input that was concatenated into a SQL query. No authentication required. Affected: 7.9.11–7.10.0. Patched: 7.10.1, released March 27, 2024.

An SQLi here is dangerous not because of database modification but because of database extraction — admin password hashes are crackable offline (especially older bcrypt cost factors), and the WordPress AUTH_KEY values stored in wp_options let an attacker forge cookies and skip the login form entirely.

Indicators

What I look at.

ACCESS LOG
POSTs to admin-ajax.php with action=ls_get_popup_markup or other LayerSlider actions, containing classic SQLi patterns (UNION SELECT, hex-encoded payloads).
SESSIONS
Admin logins from unfamiliar IPs that don't have a matching wp-login.php POST in the same window — suggests forged cookies from leaked AUTH_KEYs.
USERS
New admins created since March 2024. Existing-admin password changes you didn't make.
SECRETS ROTATION
If keys were exfiltrated, rotating wp-config.php AUTH_KEY/SECURE_AUTH_KEY/LOGGED_IN_KEY/NONCE_KEY is mandatory before any cleanup is durable. I do this as standard.

Pricing

Cleanup

$279

flat, one-time, per site

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup

Monitoring

$29 / mo

per site, cancel any time

Continuous monitoring, hardening, one cleanup per year included.

Get protected

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Email [email protected] or use the contact form.