The security researchers have recently found out that the key used by WP-Slimstat WordPress Plug-in in order to sign data that is exchanged between the server and the client, which was expected to be “secret” was actually very easy to crack. According to the security experts, the cyber criminals would require only 10 minutes to find that crypto key.
The WordPress users apply the WP-Slimstat WordPress Plug-in order to get analytics. The plug-in provides information such as the server latency, the real-time log, the email reports and the heat maps. Then, the information can be exported to an Excel spreadsheet.
The WP-Slimstat WordPress Plug-in has been downloaded more than 1.3 million times after being published, according to the download data on its page. This means that the plug-in has high popularity and this provokes the interest of the cybercriminals as well, who are looking to check the shown vulnerabilities.
Risk from a Blind SQL Injection ahead
Sucuri security researchers have discovered that the key used by WP-Slimstat plug-in which was supposed to be difficult to crack is generated on the installation data of that plug-in and is hash value MD5 of it.
That means that the cyber criminals can use sites like Internet Archive to guess the year the website was put online. Then the attackers will have to test some 30 million values and that requires just couple of minutes thanks to the modern CPUs.
The vulnerability of the plug-in runs the risk of an attack with a Blind SQL Injection, which could lead to leak of sensitive information from the database of the website including usernames and passwords. In some specific situations, the WordPress secret keys could be immediately leaked and that could lead to full website takeover.
New Plug-in Release
Recently has been released a new 3.9.6 version of the WP-Slimstat WordPress Plug-in, aiming to remove that vulnerability. In that version the encryption key is of greater difficulty and the SQL queries are tightened.
The users are strongly recommended to switch to that new version of the plug-in and are given instructions on how to do that so that the tracking code can rely on the latest improvements.
The new 3.9.6 version of the WP-Slimstat WordPress Plug-in informs the users of the plug-in to flush their cache in order to make sure that the tracking code is regenerated with the new key. The tracking code for the external websites should also be replaced with the new one which is available on Settings – Advanced.