Over a million WP sites at risk of hijacking due to plugin bug

eBook: The DevOps Roadmap for Security - Tips and tools for bridging the security tribe into DevOps. Download →

Users who run their websites on the popular WordPress CMS and are also using the WP-Slimstat web analytics plugin should update as soon as possible, warns Sucuri vulnerability researcher Marc-Alexandre Montpas.

The reason behind this warning is the fact that all but the recently released version of the plugin (3.9.6) have been found containing a bug that could ultimately allow a remote hacker to hijack the site.

“WP-Slimstat used a ‘secret’ key to sign data sent to/from the client. By looking at how it was generated, we found it would be possible for an attacker to guess its original value,” Montpas explained in a security advisory.

“Successful exploitation of this bug could lead to Blind SQL Injection attacks, which means an attacker could grab sensitive information from your database, including username, (hashed) passwords and, in certain configurations, WordPress Secret Keys (which could result in a total site takeover).”

According to the numbers shown by WP’s Plugin Directory, the WP-Slimstat has been downloaded over 1,3 million times. Of course, that doesn’t mean that all those who downloaded it still use it, but those who do would be wise to update the plugin immediately.