Up to a million WordPress websites could be open to full compromise through a vulnerability in the WP-Slimstat plug-in, security bod Marc-Alexandre Montpas says.
The weak key flaw can expose admin credentials; bad news for the folks who've downloaded the plug-in 1.3 million times.
A patched version of the plug-in has been released. While WordPress has fine auto-update features, not everyone uses those. All prior versions of the WP-Slimstat have the problem, making it a ripe attack vector.
“This bug can be used by any visitor browsing the vulnerable website – if your website uses a vulnerable version of the plug-in, you’re at risk,” says Montpas, of security firm Sucuri.
“Successful exploitation of this bug could lead to blind SQL injection attacks, which means an attacker could grab sensitive information from your database, including usernames, hashed passwords and – in certain configurations – WordPress secret keys, which could result in a total site takeover.
“This is a dangerous vulnerability, you should update all of your websites using this plug-in as soon as possible.”
Object injection vulnerabilities are also possible depending on which other plug-ins a target site has installed.
The patch for WP-Slimstat increases the security of its SQL queries and makes its encryption key harder to guess, developers say.
"If you are using a caching plug-in, please flush its cache so that the tracking code can be regenerated with the new key," WordPress bods warn in the plug-in changelog.
"Also, if you are using Slimstat to track external websites, please make sure to replace the tracking code with the new one."
WordPress plug-ins are a favourite of hackers, and of Sucuri. Earlier this month, fellow security boffin Daniel Cid reported how FancyBox, which at the time had been downloaded 500,000 times, contained a flaw that bad guys were using in zero day attacks, leading him to urge admins to remove the plug-in.
That followed Cid's June report that 50,000 sites had been sprayed with malware.
In the same month, Montpas found the All in One SEO plugin, then downloaded 19 million times, allowed attackers to trash a site's SEO rep through cross-site scripting and privilege escalation attacks. ®