If you use the WordPress plugin Slimstat, you should update it immediately
A vulnerability has been found in the popular WordPress plugin WP-Slimstat. The makers of Slimstat
describe their product as a “leading web analytics plugin for WordPress,” and with more than 1.3 million downloads, it’s hard to argue that they have taken a decent chunk of this market.
However, that also means more than 1.3 million sites are potentially at risk from the vulnerability discovered in the plugin.
Rooted out by Sucuri (the same security company that identified Heartbleed
and, more recently, the SoakSoak
vulnerabilities), the vulnerability in Slimstat could allow for malicious code injections by breaking through the plugin’s weak secret key.
Writing for Sucuri’s Security Blog, Marc-Alexandre Montpas said once that key is cracked, it would be relatively easy for a malicious user to perform a SQL injection attack against a target website.
Montpas went on in his analysis of the severity of this vulnerability:
“This bug can be used by any visitor browsing the vulnerable website. If your website uses a vulnerable version of the plugin you’re at risk. Successful exploitation of this bug could lead to Blind SQL Injection attacks, which means an attacker could grab sensitive information from your database, including username, (hashed) passwords and, in certain configurations, WordPress Secret Keys (which could result in a total site takeover).”
showed that the Slimstat plugin’s “secret” key was actually “a hashed version of the plugin’s installation timestamp.” A determined attacker could use various methods to find out this information, and thus gain access through this vulnerability. For security reasons, we will not post how this process is completed.
The Slimstat WordPress bug is being given a “Very High” security risk assessment by Sucuri. While the odds of someone accessing your site through this vulnerability are currently low, with the increased coverage of the flaw attackers are sure to try their luck at a few bruteforce attacks on tempting targets.
How to protect your site
The vulnerability in the Slimstat WordPress plugin affects versions 3.9.5 and lower. The Slimstat team has already responded to the security issue and released a patch to address the vulnerability. If you use the Slimstat plugin on any of your WordPress sites you should update to the most secure version immediately.
At the time of this writing, the most secure version is WP-Slimstat 3.9.6.
As always, if you have any questions about updating this plugin to the most secure version on your WordPress site, don’t hesitate to contact a member of our support team.
Works Cited / For Further Reading:
Security Advisory — WP-Slimstat 3.9.5 and lower. (Sucuri
Over 1 million WordPress websites at risk from SQL injection. (ZDNet
More than 1 million WordPress websites imperiled by critical plugin bug. (Ars Technica
Slimstat for WordPress plugin. (Slimstat
Published: February 26, 2015 at 4:30 PM