More than one million WordPress sites may be vulnerable to a critical plugin issue that could open sites up to SQL injection attacks and in turn, total takeover.
The problem stems from a weak key vulnerability in WP-Slimstat, a web analytics plugin for the content management system that’s been downloaded roughly 1.3 million times. The bug could enable an attacker to essentially guess the value of the key the plugin uses to sign data sent to and from the user. From there, one could stage a series of blind SQL injection attacks and glean information from the site’s database such as usernames, hashed passwords and WordPress Secret Keys.
Marc-Alexandre Montpas, a researcher with the firm Sucuri, which specializes in digging up WordPress bugs, discussed the vulnerability in a blog post yesterday. Montpas stumbled upon it during a routine audit by realizing that the plugin’s “secret” key wasn’t so secret.
The key was really a hashed version of the plugin’s installation timestamp, according to Montpas, and to determine it, all an attacker would have to do is go to a site that caches information about when sites were started, like the Internet Archive. This narrows values down considerably and once an attacker has secured the key, they could pair it with timestamps coming from the plugin—easily obtainable, they’re included on the vulnerable site’s homepage—and perform a blind SQL injection.
Once a hacker knows the key they can take it attach a payload and MD5 it to pass the site’s validity check and extract data from its database.
Blind SQL attacks, according to OWASP, are a variation of SQL attacks “that ask the database true or false questions and determines the answer based on the application’s response.” In this case the attack brute forces site timestamps until it gets the same combination of characters from the affected site’s homepage.
If your website uses a vulnerable version of the plugin, you’re at risk” Montpas wrote Tuesday, “This is a dangerous vulnerability. You should update all of your websites using this plugin as soon as possible.”
While the bug has been patched in version 3.9.6 of the plugin, pushed live late last week, all versions prior are at risk.
“The security of our users’ data is our top priority, and for this reason we tightened our SQL queries and made out encryption key harder to guess,” the plugin’s author, WordPress user Camu, wrote in the plugin’s changelog when it was updated.