(LiveHacking.Com) – A recent security advisory from Sucri has revealed that the popular WordPress plugin WP-Slimstat is vulnerable to SQL injection attacks because of a weak secret key.
If exploited fully the bug could allow hackers to use SQL injection attacks to download sensitive information from a susceptible site’s database, including username, and (hopefully) hashed passwords. According to Sucri it could even be possible, in certain situations, for the attacker to find the WordPress Secret Keys and then takeover the site completely.
The problem is with the secret key used by the plugin to sign data sent to/from the client. The key used is in fact the MD5 hash of the plugin’s installation timestamp. Although it would be impossible to guess the exact date and time of the plugin installation, it might be possible to guess the approximate date and therefore drastically reduce the number of combinations.
Only the correct year is needed to reduce the number of possibilities down to 30 million values, which according to Sucri is computable in around 10 minutes using modern setups. Part of the problem is that MD5 hashes are quite breakable using modern CPU/GPU combinations.
Once the correct MD5 hash has been discovered then fake data can be sent to the plugin. Then, due to a second bug – which allows an attacker to insert arbitrary data into an unserialize() call, the attacker can execute arbitrary SQL queries and allow them to get any data they want from the database.
“This is a dangerous vulnerability, you should update all of your websites using this plugin as soon as possible,” wrote Marc-Alexandre Montpas on Sucri’s blog.
WP-Slimstat is an analytics tool. Its listing on WordPress shows it has been downloaded more than 1.3 million times. People who operate websites that use the plugin should update immediately. All versions before 3.9.6 are vulnerable.