Jump to content
Aerosol

As many as 1 million+ WordPress sites imperiled by critical plugin bug

Recommended Posts

Posted

More than one million websites that run on the WordPress content management application run the risk of being completely hijacked by attackers exploiting critical vulnerability in most versions of a plugin called WP-Slimstat.

Versions prior to the recently released Slimstat 3.9.6 contain a readily guessable key that's used to sign data sent to and from visiting end-user computers, according to a blog post published Tuesday by Web security firm Sucuri. The result is a SQL injection vector that can be used to extract highly sensitive data, including encrypted passwords and the encryption keys used to remotely administer websites.

"If your website uses a vulnerable version of the plugin, you’re at risk," Marc-Alexandre Montpas, a senior vulnerability researcher at Sucuri, wrote. "Successful exploitation of this bug could lead to Blind SQL Injection attacks, which means an attacker could grab sensitive information from your database, including username, (hashed) passwords and, in certain configurations, WordPress Secret Keys (which could result in a total site takeover)."

The WP-Slimstat secret key is nothing more than the MD5 hash of the plugin’s installation timestamp. An attacker could use the Internet Archive or similar sites to determine the year a vulnerable site was put online. That would leave an attacker with about 30 million values to test, an undertaking that could be completed in about 10 minutes. Once the secret key has been divined, the attacker can use it to pull data out of the database.

WP-Slimstat is an analytics tool. Its listing on WordPress shows it has been downloaded more than 1.3 million times. People who operate websites that use the plugin should update immediately.

Post updated to change headline. It previously read: More than1 million WordPress websites imperiled by critical plugin bug.

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...