Gadgets Magazine

Plugin Vulnerability Puts Approximately One Million WordPress Sites at Risk

Posted on the 27 February 2015 by Nrjperera @nrjperera

A vulnerability in a WordPress plugin for web analytics called WP-Slimstat has reportedly put approximately a million WordPress powered websites at risk, allowing the possibility for hackers to hijack websites with the said plugin.

The vulnerability was discovered by Web security firm Sucuri, who found that the plugin’s weak “secret” key can actually be used by an attacker to perform a SQL Injection to hijack a website. Which allows the hacker to access the website database, admin info including username password and more. Basically, once your site is hacked you’re screwed.

“This bug can be used by any visitor browsing the vulnerable website,” Marc-Alexandre Montpas, a security researcher at Sucuri wrote on a blog post. “Successful exploitation of this bug could lead to Blind SQL Injection attacks, which means an attacker could grab sensitive information from your database.”

The WP-Slimstat plugin page shows that it’s been downloaded by over 1.3 million times. Which of course includes re-downloads and updated downloads. Still, needless to say a lot of websites are at risk.

Read Also: Hackers Leak 13K Passwords from Amazon, Hulu Plus, Brazzers

Upon discovering the vulnerability, the WP-Slimstat plugin has been patched with a fix to this issue. If your WP-Slimstat version is lower than 3.9.6, you should immediately update the plugin to avoid getting hacked. Or you could simply get rid of the plugin and switch to Google Analytics, like everyone else.

[ Via: Ars Technica / Sucuri Blog ]
(All images, trademarks shown on this post are the property of their respective owners)

Follow @nrjperera – Roshan Jerad Perera

Back to Featured Articles on Logo Paperblog