An attacker would need 10 minutes to crack the key

Feb 25, 2015 16:00 GMT  ·  By

The “secret” key used by WP-Slimstat plug-in for WordPress to sign data exchanged between the client and the server has been found to be easy to crack by security researchers.

WP-Slimstat is a component that provides web analytics for WordPress users. It pulls information such as real-time log, server latency, heat maps or email reports and it can export it to an Excel spreadsheet.

According to the download data on its page, the plug-in has been downloaded more than 1.3 million times since being published, showing sufficient popularity to pique the interest of cybercriminals looking to exploit any found vulnerabilities.

Blind SQL Injection attack risk ahead

Security researchers at Sucuri discovered that the “secret” key used by WP-Slimstat is generated based on the installation data of the plug-in and it is an MD5 hash value of this.

“An attacker could use sites like Internet Archive to approximately guess what year the site was put online (which would leave us with approx. 30 million values to test, something doable within 10 minutes with most modern CPUs),” said Marc-Alexandre Montpas from Sucuri in a blog post on Tuesday.

Vulnerable versions of the component run the risk of a Blind SQL Injection attack that could lead to sensitive information from the website’s database like usernames and password hashes falling into the hands of an unauthorized individual.

Montpas warns that, in some configurations, the secret keys used by WordPress itself could be leaked, which would be synonymous to complete website takeover.

New release is currently available

A new version of WP-Slimstat has been released (3.9.6) to eliminate the vulnerability. It tightens SQL queries and makes the encryption key more difficult to guess.

Users are advised to switch to the new build and have been given instructions on how to make sure that the tracking code relies on the latest improvements.

“If you are using a caching plugin, please flush its cache so that the tracking code can be regenerated with the new key. Also, if you are using Slimstat to track external websites, please make sure to replace the tracking code with the new one available under Settings > Advanced,” the release notes for the new build inform.