It has just come to light that the popular plugin, LayerSlider Responsive WordPress Slider Plugin, by kreatura, currently has a massive vulnerability.
All of the plugin’s versions up to 6.2.1 hold a XSS & SQL injection vulnerability.
In the Slider Settings screen, there’s an option to save any changes. When saving those changes however, the plugin does not validate the request with a nonce (a string generated by WordPress which acts as a token for each request and is used to identify the WP user which is making that request).
Therefore, when the request is not validated, the user does not have to be an administrator to save those settings.
With a simple POST request to ‘admin-ajax.php’, any SQL injection can be performed through Layer Slider’s vulnerability.
This weakness can allow hackers to see the current users on a website, or even create an administrator user for themselves and explore the site freely.
To patch up the security gap on your website, you must update your Layer Slider plugin to the latest version or at least to version 6.2.1.
Here at WPX Hosting, we are already scanning all websites hosted with us to check for this plugin and its weakness. In the meantime, please update Layer Slider to the latest version as soon as possible.