Flaw in popular Web analytics plug-in exposes WordPress sites to hacking

25.02.2015
WordPress site owners using the WP-Slimstat plug-in installed should upgrade it to the latest version immediately in order to fix a critical vulnerability, security researchers warn.

WP-Slimstat, a Web analytics plug-in for WordPress, has been downloaded over 1.3 million times and is highly rated by users. The plug-in allows site owners to track returning visitors and registered users, monitor JavaScript events, detect intrusions, analyze email campaigns and more.

Researchers from Web security firm Sucuri found a vulnerability that stems from weak cryptographic key generation in WP-Slimstat versions 3.9.5 and lower. If attackers can determine the secret key used by the plug-in, they can launch blind SQL injection attacks that enable them to read sensitive information from the site's database.

That sensitive information can include usernames, password hashes, and, in certain configurations, WordPress secret keys that if exposed, can lead to a total takeover of the affected sites, Sucuri senior vulnerability researcher Marc-Alexandre Montpas said in a blog post Tuesday.

The plug-in's secret key is generated by running the MD5 hash algorithm over a timestamp that corresponds to the plug-in's installation on the website. Guessing when the plug-in was installed might appear to be hard, but it's not.

An attacker can determine the year when the site was created, which is likely the same year when the plug-in was installed, by looking at the Internet Archive or other sources online. Once that part of the timestamp is determined, there are 30 million possible values left for the rest of it.

Testing all those values and comparing the resulting signatures with signatures used on the site can be done in 10 minutes using most modern CPUs, Montpas said.

"This is a dangerous vulnerability, you should update all of your websites using this plugin as soon as possible," the researcher said.

The WP-Slimstat developers released version 3.9.6 last week in order to address the issue.

"The security of our users' data is our top priority, and for this reason we tightened our SQL queries and made our encryption key harder to guess," they wrote in the plug-in's changelog. "If you are using a caching plugin, please flush its cache so that the tracking code can be regenerated with the new key."

Lucian Constantin

Zur Startseite