Critical bug puts millions of WordPress sites in danger

Less than a month after a WordPress plugin Fancybox was discovered to have serious vulnerability issues, putting half a million websites at risk, another plugin was discovered to pose great danger.

The plugin in question is called WP-Slimstat, and it’s an analytics tool, downloaded over a million times. However, it was already patched up, and everyone using this plugin should update to version 3.9.6 as soon as possible.

As was discovered by Web security firm Sucuri, older versions contain a fairly guessable key that's used to sign data sent to and from visiting end-user computers.

In a post published on the Sucuri blog, it says that the vulnerability in the WordPress sites can lead to an SQL injection which can be used to extract highly sensitive data, including encrypted passwords and the encryption keys used to remotely administer websites.

"If your website uses a vulnerable version of the plugin, you’re at risk," Marc-Alexandre Montpas, a senior vulnerability researcher at Sucuri, wrote. "Successful exploitation of this bug could lead to Blind SQL Injection attacks, which means an attacker could grab sensitive information from your database, including username, (hashed) passwords and, in certain configurations, WordPress Secret Keys (which could result in a total site takeover)."

WP-Slimstat used a “secret” key to sign data sent to/from the client. The “secret” was a hashed version of the plugin’s installation timestamp. An attacker could use sites like Internet Archive to approximately guess what year the site was put online.

After that, the attacker has some 30 million values to test, something doable within 10 minutes with most modern CPUs, says Sucuri.

“This is a dangerous vulnerability,” it says in the blog post. “

You should update all of your websites using this plugin as soon as possible.”