A web analytics plugin has been one of the most useful tools for keeping tabs with how your website is performing and making decisions based on the data it provides. But when things go bad, it could also bring tremendous damage to your site.
Marc-Alexandre Montpas, a security researcher, discovered a vulnerability in the WP-Slimstat plugin that could potentially expose your website to the manipulative techniques of malicious hackers through SQL injection attacks. Based on the number of downloads for this plugin, more than a million websites are now susceptible to a complete takeover by the bad actors due to this vulnerability.
Once an attacker perpetrates several SQL injection attacks, he could then view sensitive information from your website’s database usernames, hashed passwords and secret keys. This WP-Slimstat vulnerability also makes it easy for a hijacker to determine the value of what key this plugin uses to log data transmitted and received from the user.
By just guessing the key’s value, everything else will follow smoothly. This essentially makes the secrecy of the WordPress secret key, well, a little less secretive.
Here’s what is happening under the hood. The plugin’s installation timestamp is being shielded in the key as a hashed version to keep it safe from eavesdroppers. Meaning, the key contains the data about when the plugin was installed in your website.
Even the least tech savvy guy will know how to find out this data by juts looking into the home page’s archive. That’s what makes it easy for hijackers to take advantage of this plugin vulnerability.
Once this information is obtained, the hacker can then pair the key with timestamps that come from the WP-Slimstat in order to carry out the SQL injection attack. This is made even worse by the fact that SQL attacks are nothing new to attackers as they are only meant to query a database using questions answerable by true or false values. For the WP-Slimstat vulnerability, all a hijacker needs to do is brute force the website’s timestamps in order to extract the exact string of characters that are based from the site’s home page.
Good thing is, the plugin has been updated in order to address this issue. So those websites that still use the older version of the plugin remain vulnerable to SQL injection attacks. It is highly advisable for them to update to the latest version of the plugin because of the severe consequences this vulnerability might bring upon your site.