More than 1 Million WordPress websites are vulnerable to blind SQL Injection Attacks

A security bug in the WordPress plugin WP-Slimstat could be exploited by attackers to discover a “secret” key and use it to run blind SQL Injections.

More than one million WordPress sites are potentially vulnerable to SQL injection attacks due to the presence of a critical flaw in the popular plugin WP-Slimstat. WP-Slimstat is an analytics plugin for WordPress that count more than 1,300,000 downloads. The exploitation of the security flaw could allow an attacker to guess the value of the secret key the plugin uses to sign data sent to and from the user.

The security issue was discovered by Marc-Alexandre Montpas, a researcher with the firm Sucuri, during a routine audit.

All the WP-Slimstat versions prior to the latest release 3.9.6 are affected by the security issue. If an attacker is able to guess the secret key could run a series of blind SQL injection attacks and access data contained in the database of the WordPress instance, including user credentials, hashed passwords and WordPress Secret Keys.

“This bug can be used by any visitor browsing the vulnerable website. If your website uses a vulnerable version of the plugin, you’re at risk. Successful exploitation of this bug could lead to Blind SQL Injection attacks, which means an attacker could grab sensitive information from your database, including username, (hashed) passwords and, in certain configurations, WordPress Secret Keys (which could result in a total site takeover).” wrote in a blog post Marc-Alexandre Montpas.

The key was really a hashed version of the plugin’s installation timestamp. To guess the key, an attacker have to visit a website that caches information about when sites were put online, like the Internet Archive.

“An attacker could use sites like Internet Archive to approximately guess what year the site was put online (which would leave us with approx. 30 million values to test, something doable within 10 minutes with most modern CPUs).” states the post.”The only piece missing to be able to bruteforce the site’s timestamp is valid, signed, information coming from the plugin to compare our generated signatures with.”

In this specific case of Blind SQL attack, an attacker brute forces site timestamps until it gets the same combination of characters from the affected site’s homepage. Montpas urges the administrators of websites using the WP-Slimstat to update plugin as soon as possible.

“The security of our users’ data is our top priority, and for this reason we tightened our SQL queries and made out encryption key harder to guess,” explained the plugin’s author, Camu.

Pierluigi Paganini

(Security Affairs –  WordPress plugin, hacking)