Plugins are an awesome tool for customizing a WordPress website and expanding the features and capabilities beyond the basic Web publishing platform. Each plugin is also a potential security risk that could put your WordPress website at risk.
Researchers have discovered the WP-Slimstat–a WordPress plugin used by over a million sites–has a vulnerability that can allow attackers to hijack control of the whole site if properly exploited. I wrote this blog post about the vulnerable plugin:
WordPress is one of the most popular Web publishing platforms. The vast catalog of plugins is part of what makes WordPress so powerful, but it can also be the Achilles heel. According to security researchers at Sucuri there are a million-plus WordPress sites exposed to serious risk, thanks to a flaw in the WP-Slimstat plugin.
The Sucuri blog post explains, “During a routine audit for our WAF [Web application firewall], we discovered a security bug that an attacker could, by breaking the plugin’s weak “secret” key, use to perform a SQL Injection attack against the target website.”
The blog goes on to explain that a successful exploit could allow the attacker to access or download sensitive information like usernames, encrypted passwords, and possibly WordPress secret keys. Armed with the WordPress secret keys, the attacker would be able to hijack the entire WordPress site.
Sucuri sums up by stressing, “This is a dangerous vulnerability, you should update all of your websites using this plugin as soon as possible.”
How much is a million?
Sucuri estimates that there are over a million WordPress sites possibly at risk due to WP-Slimstat. That’s a large number but in the grand scheme of things it’s not that bad.
There are nearly 75 million WordPress sites live on the Internet right now. Almost half of the Technorati Top 100 blogs run on WordPress. The New York Times, CNN, and many other iconic Web destinations depend on WordPress.
One of the primary benefits of the WordPress platform is that there is almost guaranteed to be a plugin to do just about anything you can imagine doing on a website. There are almost 30,000 WordPress plugins that have been downloaded a combined total of more than 286 million times. Against that massive backdrop, the one million or so vulnerable WP-Slimstat sites represent just over one percent of the total WordPress base.
You can read the full post at PCWorld: Over a million WordPress sites at risk thanks to WP-Slimstat plugin.