More than one million WordPress sites are potentially vulnerable to SQL injection attacks due to the presence of a critical flaw in the popular plugin WP-Slimstat. WP-Slimstat is an analytics plugin for WordPress that count more than 1,300,000 downloads. The exploitation of the security flaw could allow an attacker to guess the value of the secret key the plugin uses to sign data sent to and from the user.
The security issue was discovered by Marc-Alexandre Montpas, a researcher with the firm Sucuri, during a routine audit.
All the WP-Slimstat versions prior to the latest release 3.9.6 are affected by the security issue. If an attacker is able to guess the secret key could run a series of blind SQL injection attacks and access data contained in the database of the WordPress instance, including user credentials, hashed passwords and WordPress Secret Keys.
“This bug can be used by any visitor browsing the vulnerable website. If your website uses a vulnerable version of the plugin, you’re at risk. Successful exploitation of this bug could lead to Blind SQL Injection attacks, which means an attacker could grab sensitive information from your database, including username, (hashed) passwords and, in certain configurations, WordPress Secret Keys (which could result in a total site takeover).” wrote in a blog post Marc-Alexandre Montpas.
The key was really a hashed version of the plugin’s installation timestamp. To guess the key, an attacker have to visit a website that caches information about when sites were put online, like the Internet Archive.
“An attacker could use sites like Internet Archive to approximately guess what year the site was put online (which would leave us with approx. 30 million values to test, something doable within 10 minutes with most modern CPUs).” states the post.”The only piece missing to be able to bruteforce the site’s timestamp is valid, signed, information coming from the plugin to compare our generated signatures with.”
In this specific case of Blind SQL attack, an attacker brute forces site timestamps until it gets the same combination of characters from the affected site’s homepage. Montpas urges the administrators of websites using the WP-Slimstat to update plugin as soon as possible.
“The security of our users’ data is our top priority, and for this reason we tightened our SQL queries and made out encryption key harder to guess,” explained the plugin’s author, Camu.
(Security Affairs – WordPress plugin, hacking)
U.S. CISA added the Windows Print Spooler flaw CVE-2022-38028 to its Known Exploited Vulnerabilities catalog.…
The U.S. Department of Justice (DoJ) announced the arrest of two co-founders of a cryptocurrency mixer…
Google addressed a critical Chrome vulnerability, tracked as CVE-2024-4058, that resides in the ANGLE graphics…
Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November…
A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute…
The Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned four Iranian nationals for their…
This website uses cookies.