Over one million websites running the WordPress content management system are potentially at risk of being hijacked due to a critical vulnerability exposed in the WP-Slimstat plugin.
On Tuesday, a security advisory posted by researcher Marc-Alexandre Montpas from security firm Sucuri said the "very high risk" vulnerability found in versions of WP-Slimstat 3.9.5 and lower could lead to cyberattackers being able to break the plugin's "secret" key, perform an SQL injection and take over a target website.
The security bug is found in all versions of the analytics plugin except the latest 3.6 version.
WP-Slimstat uses a "secret" key to sign data sent to and from a visiting computer. However, Sucuri says the key is easily guessable, as it is just a hashed version of the plugin's installation timestamp -- and by using a website like Internet Archive, the key could be guessed within only minutes based on the year the site appeared online. According to the team, this would leave roughly 30 million values to test, something which is doable in only 10 minutes on modern computer systems.
Once this information has been acquired, an SQL injection can be performed.
The security researchers say the bug could lead to database exploits, hijacking and the theft of sensitive information including usernames, hashed passwords, and potentially access to WordPress Secret Keys which could lead to total site takeover.
WP-Slimstat is an analytics tool which includes a real-time website activity log, heatmaps, email reports, data exports, platform and browser detection as well as IP geolocation. The plugin is available in multiple languages and is free with premium bolt-ons.
According to the WordPress plugin library, WP-Slimstat has been downloaded over 1.3 million times. If you run this plugin on your website, you should make sure your CMS is up-to-date and download the latest version of the software.