Flaw in popular Web analytics plug-in exposes WordPress sites to hacking

Attackers can easily crack cryptographic keys used by the WP-Slimstat plug-in and use them to read information from a site's database

WordPress site owners using the WP-Slimstat plug-in installed should upgrade it to the latest version immediately in order to fix a critical vulnerability, security researchers warn.

WP-Slimstat, a Web analytics plug-in for WordPress, has been downloaded over 1.3 million times and is highly rated by users. The plug-in allows site owners to track returning visitors and registered users, monitor JavaScript events, detect intrusions, analyze email campaigns and more.

Researchers from Web security firm Sucuri found a vulnerability that stems from weak cryptographic key generation in WP-Slimstat versions 3.9.5 and lower. If attackers can determine the secret key used by the plug-in, they can launch blind SQL injection attacks that enable them to read sensitive information from the site's database.

That sensitive information can include usernames, password hashes, and, in certain configurations, WordPress secret keys that if exposed, can lead to a total takeover of the affected sites, Sucuri senior vulnerability researcher Marc-Alexandre Montpas said in a blog post Tuesday.

The plug-in's secret key is generated by running the MD5 hash algorithm over a timestamp that corresponds to the plug-in's installation on the website. Guessing when the plug-in was installed might appear to be hard, but it's not.

An attacker can determine the year when the site was created, which is likely the same year when the plug-in was installed, by looking at the Internet Archive or other sources online. Once that part of the timestamp is determined, there are 30 million possible values left for the rest of it.

Testing all those values and comparing the resulting signatures with signatures used on the site can be done in 10 minutes using most modern CPUs, Montpas said.

"This is a dangerous vulnerability, you should update all of your websites using this plugin as soon as possible," the researcher said.

The WP-Slimstat developers released version 3.9.6 last week in order to address the issue.

"The security of our users' data is our top priority, and for this reason we tightened our SQL queries and made our encryption key harder to guess," they wrote in the plug-in's changelog. "If you are using a caching plugin, please flush its cache so that the tracking code can be regenerated with the new key."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags patchessecurityAccess control and authenticationSucuriencryptiondata protection

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?