Menu
Flaw in popular Web analytics plug-in exposes WordPress sites to hacking

Flaw in popular Web analytics plug-in exposes WordPress sites to hacking

Attackers can easily crack cryptographic keys used by the WP-Slimstat plug-in and use them to read information from a site's database

WordPress site owners using the WP-Slimstat plug-in installed should upgrade it to the latest version immediately in order to fix a critical vulnerability, security researchers warn.

WP-Slimstat, a Web analytics plug-in for WordPress, has been downloaded over 1.3 million times and is highly rated by users. The plug-in allows site owners to track returning visitors and registered users, monitor JavaScript events, detect intrusions, analyze email campaigns and more.

Researchers from Web security firm Sucuri found a vulnerability that stems from weak cryptographic key generation in WP-Slimstat versions 3.9.5 and lower. If attackers can determine the secret key used by the plug-in, they can launch blind SQL injection attacks that enable them to read sensitive information from the site's database.

That sensitive information can include usernames, password hashes, and, in certain configurations, WordPress secret keys that if exposed, can lead to a total takeover of the affected sites, Sucuri senior vulnerability researcher Marc-Alexandre Montpas said in a blog post Tuesday.

The plug-in's secret key is generated by running the MD5 hash algorithm over a timestamp that corresponds to the plug-in's installation on the website. Guessing when the plug-in was installed might appear to be hard, but it's not.

An attacker can determine the year when the site was created, which is likely the same year when the plug-in was installed, by looking at the Internet Archive or other sources online. Once that part of the timestamp is determined, there are 30 million possible values left for the rest of it.

Testing all those values and comparing the resulting signatures with signatures used on the site can be done in 10 minutes using most modern CPUs, Montpas said.

"This is a dangerous vulnerability, you should update all of your websites using this plugin as soon as possible," the researcher said.

The WP-Slimstat developers released version 3.9.6 last week in order to address the issue.

"The security of our users' data is our top priority, and for this reason we tightened our SQL queries and made our encryption key harder to guess," they wrote in the plug-in's changelog. "If you are using a caching plugin, please flush its cache so that the tracking code can be regenerated with the new key."


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags patchessecurityAccess control and authenticationSucuriencryptiondata protection

Featured

Slideshows

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

​Ingram Micro’s Hooked on Lenovo incentive programme recently rewarded 28 of New Zealand's top performing resellers with a full-on fishing trip at Great Barrier Island for the third year​ in a row.

Tight lines as Hooked on Lenovo catches up at Great Barrier Island
Inside the AWS Summit in Sydney

Inside the AWS Summit in Sydney

As the dust settles on the 2017 AWS Summit in Sydney, ARN looks back an action packed two-day event, covering global keynote presentations, 80 breakout sessions on the latest technology solutions, and channel focused tracks involving local cloud stories and insights.

Inside the AWS Summit in Sydney
Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Ingram Micro hosted its third annual Cure Kids Charity Golf Tournament at the North Shore Golf Club in Auckland. In total, 131 resellers, vendors and Ingram Micro suppliers enjoyed a round of golf consisting of challenges on each of the 18 sponsored holes, with Team Philips taking out the top honours.

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day
Show Comments