Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

P0wned plug-in puts a million WordPress sites at risk of attack

See? We told you blogs were dangerous

Up to a million WordPress websites could be open to full compromise through a vulnerability in the WP-Slimstat plug-in, security bod Marc-Alexandre Montpas says.

The weak key flaw can expose admin credentials; bad news for the folks who've downloaded the plug-in 1.3 million times.

A patched version of the plug-in has been released. While WordPress has fine auto-update features, not everyone uses those. All prior versions of the WP-Slimstat have the problem, making it a ripe attack vector.

“This bug can be used by any visitor browsing the vulnerable website – if your website uses a vulnerable version of the plug-in, you’re at risk,” says Montpas, of security firm Sucuri.

“Successful exploitation of this bug could lead to blind SQL injection attacks, which means an attacker could grab sensitive information from your database, including usernames, hashed passwords and – in certain configurations – WordPress secret keys, which could result in a total site takeover.

“This is a dangerous vulnerability, you should update all of your websites using this plug-in as soon as possible.”

Object injection vulnerabilities are also possible depending on which other plug-ins a target site has installed.

The patch for WP-Slimstat increases the security of its SQL queries and makes its encryption key harder to guess, developers say.

"If you are using a caching plug-in, please flush its cache so that the tracking code can be regenerated with the new key," WordPress bods warn in the plug-in changelog.

"Also, if you are using Slimstat to track external websites, please make sure to replace the tracking code with the new one."

WordPress plug-ins are a favourite of hackers, and of Sucuri. Earlier this month, fellow security boffin Daniel Cid reported how FancyBox, which at the time had been downloaded 500,000 times, contained a flaw that bad guys were using in zero day attacks, leading him to urge admins to remove the plug-in.

That followed Cid's June report that 50,000 sites had been sprayed with malware.

In the same month, Montpas found the All in One SEO plugin, then downloaded 19 million times, allowed attackers to trash a site's SEO rep through cross-site scripting and privilege escalation attacks. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like