Menu
Flaw in popular Web analytics plug-in exposes WordPress sites to hacking

Flaw in popular Web analytics plug-in exposes WordPress sites to hacking

Attackers can easily crack cryptographic keys used by the WP-Slimstat plug-in and use them to read information from a site's database

WordPress site owners using the WP-Slimstat plug-in installed should upgrade it to the latest version immediately in order to fix a critical vulnerability, security researchers warn.

WP-Slimstat, a Web analytics plug-in for WordPress, has been downloaded over 1.3 million times and is highly rated by users. The plug-in allows site owners to track returning visitors and registered users, monitor JavaScript events, detect intrusions, analyze email campaigns and more.

Researchers from Web security firm Sucuri found a vulnerability that stems from weak cryptographic key generation in WP-Slimstat versions 3.9.5 and lower. If attackers can determine the secret key used by the plug-in, they can launch blind SQL injection attacks that enable them to read sensitive information from the site's database.

That sensitive information can include usernames, password hashes, and, in certain configurations, WordPress secret keys that if exposed, can lead to a total takeover of the affected sites, Sucuri senior vulnerability researcher Marc-Alexandre Montpas said in a blog post Tuesday.

The plug-in's secret key is generated by running the MD5 hash algorithm over a timestamp that corresponds to the plug-in's installation on the website. Guessing when the plug-in was installed might appear to be hard, but it's not.

An attacker can determine the year when the site was created, which is likely the same year when the plug-in was installed, by looking at the Internet Archive or other sources online. Once that part of the timestamp is determined, there are 30 million possible values left for the rest of it.

Testing all those values and comparing the resulting signatures with signatures used on the site can be done in 10 minutes using most modern CPUs, Montpas said.

"This is a dangerous vulnerability, you should update all of your websites using this plugin as soon as possible," the researcher said.

The WP-Slimstat developers released version 3.9.6 last week in order to address the issue.

"The security of our users' data is our top priority, and for this reason we tightened our SQL queries and made our encryption key harder to guess," they wrote in the plug-in's changelog. "If you are using a caching plugin, please flush its cache so that the tracking code can be regenerated with the new key."


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags patchessecurityAccess control and authenticationSucuriencryptiondata protection

Featured

Slideshows

Channel celebrates as HP marks 50 years in NZ

Channel celebrates as HP marks 50 years in NZ

HP marked 50 years in New Zealand at an event in the vendor's Auckland's headquarters last night, with a host of key channel figures coming along to celebrate. Photos by HP.

Channel celebrates as HP marks 50 years in NZ
EDGE 2017 - Icebreaker Sessions round 2

EDGE 2017 - Icebreaker Sessions round 2

EDGE guests experience the value of networking at the second round of Icebreaker sessions.. Photos by Maria Stefina

EDGE 2017 - Icebreaker Sessions round 2
EDGE 2017 Dinner Under the Stars

EDGE 2017 Dinner Under the Stars

EDGE's Day 2 keynote and breakout sessions were followed by the Dinner Under the Stars. Over 300 people were present to enjoy a seafood feast and lots of excitement at Hamilton Island's Bougainvillea Marquee. Photos by Maria Stefina.

EDGE 2017 Dinner Under the Stars
Show Comments