1.3 Million WordPress Sites Vulnerable To Hackers

Researchers from the security firm Sucuri found a vulnerability in WP-Slimstat plug-in that allows an attacker to launch a Blind SQL injection attack against the site. The vulnerability is caused by the weak cryptographic key generation in WP-Slimstat versions 3.9.5 and lower.

WP-Slimstat plug-in is a wordpress plugin that allows site owners to track visitors in real-time, detect intrusions and many more. If an attacker can determine the secret key used by WP-Slimstat plug-in, they can launch a successful Blind SQL injection attack that enable them to access the sensitive information from the database, including username, hashed passwords and, in certain configurations, WordPress Secret Keys (which could result in a total site takeover).

ATTACK SCENARIO

WP-Slimstat uses a “secret” key (hashed version of the plugin’s installation time-stamp) to sign data sent to/from the client. An attacker could be able to guess the time-stamp by using sites like Internet Archive and then brute-forces the guessed time-stamps until they get the same signature from the site’s home page. If successful, attacker can use this bug to perform an SQL Injection attack.

All the users should update the plugin as soon as possible to prevent hackers from taking over the website.