// CVE-2024-2879 · UNAUTH SQLi · BUNDLED WITH THEMES
LayerSlider SQLi?
We clean it.
Unauthenticated SQL injection in LayerSlider let attackers pull admin password hashes and session secrets. Heaviest impact: sites running themes that bundle LayerSlider and never updated it. Flat $279 to clean up.
§ 01 — WHAT THE BUG WAS
User input → SQL, no authentication.
An AJAX action in LayerSlider accepted user-controlled input that was concatenated into a SQL query. No authentication required. Affected: 7.9.11–7.10.0. Patched: 7.10.1, released March 27, 2024.
An SQLi here is dangerous not because of database modification but because of database extraction — admin password hashes are crackable offline (especially older bcrypt cost factors), and the WordPress AUTH_KEY values stored in wp_options let an attacker forge cookies and skip the login form entirely.
§ 02 — INDICATORS
What we look at.
[ ACCESS LOG ]
POSTs to admin-ajax.php with action=ls_get_popup_markup or other LayerSlider actions, containing classic SQLi patterns (UNION SELECT, hex-encoded payloads).
[ SESSIONS ]
Admin logins from unfamiliar IPs that don't have a matching wp-login.php POST in the same window — suggests forged cookies from leaked AUTH_KEYs.
[ USERS ]
New admins created since March 2024. Existing-admin password changes you didn't make.
[ SECRETS ROTATION ]
If keys were exfiltrated, rotating wp-config.php AUTH_KEY/SECURE_AUTH_KEY/LOGGED_IN_KEY/NONCE_KEY is mandatory before any cleanup is durable. We do this as standard.
§ PRICE
Flat $279. One-time. Per site.
[ RESCUE ]
$279
FLAT · ONE-TIME · PER SITE
Manual cleanup, entry-vector identification, written forensic report. 30-day reinfection guarantee.
Start a cleanup →[ SHIELD ]
$29 / mo
PER SITE · CANCEL ANY TIME
Continuous monitoring, hardening, one cleanup per year included.
Get protected →Site compromised? Let's talk.
Send us what you know. You get a triage and a fixed quote in return — no obligation.