Vulnerable WordPress plugin enables attackers to take control of your site

Plugins are an awesome tool for customizing a WordPress website and expanding the features and capabilities beyond the basic Web publishing platform. [inlinetweet prefix=”” tweeter=”” suffix=””]Each plugin is also a potential security risk that could put your WordPress website at risk.[/inlinetweet]

Researchers have discovered the WP-Slimstat–a WordPress plugin used by over a million sites–has a vulnerability that can allow attackers to hijack control of the whole site if properly exploited. I wrote this blog post about the vulnerable plugin:

WordPress is one of the most popular Web publishing platforms. The vast catalog of plugins is part of what makes WordPress so powerful, but it can also be the Achilles heel. According to security researchers at Sucuri there are a million-plus WordPress sites exposed to serious risk, thanks to a flaw in the WP-Slimstat plugin.

WP-Slimstat vulnerable

The Sucuri blog post explains, “During a routine audit for our WAF [Web application firewall], we discovered a security bug that an attacker could, by breaking the plugin’s weak “secret” key, use to perform a SQL Injection attack against the target website.”

The blog goes on to explain that a successful exploit could allow the attacker to access or download sensitive information like usernames, encrypted passwords, and possibly WordPress secret keys. Armed with the WordPress secret keys, the attacker would be able to hijack the entire WordPress site.

Sucuri sums up by stressing, [inlinetweet prefix=”” tweeter=”” suffix=””]“This is a dangerous vulnerability, you should update all of your websites using this plugin as soon as possible.”[/inlinetweet]

How much is a million?

Sucuri estimates that there are over a million WordPress sites possibly at risk due to WP-Slimstat. That’s a large number but in the grand scheme of things it’s not that bad.

There are nearly 75 million WordPress sites live on the Internet right now. Almost half of the Technorati Top 100 blogs run on WordPress. The New York Times, CNN, and many other iconic Web destinations depend on WordPress.

One of the primary benefits of the WordPress platform is that there is almost guaranteed to be a plugin to do just about anything you can imagine doing on a website. There are almost 30,000 WordPress plugins that have been downloaded a combined total of more than 286 million times. Against that massive backdrop, the one million or so vulnerable WP-Slimstat sites represent just over one percent of the total WordPress base.

You can read the full post at PCWorld: Over a million WordPress sites at risk thanks to WP-Slimstat plugin.

Tony Bradley: I have a passion for technology and gadgets--with a focus on Microsoft and security--and a desire to help others understand how technology can affect or improve their lives. I also love spending time with my wife, 7 kids, 4 dogs, 7 cats, a pot-bellied pig, and sulcata tortoise, and I like to think I enjoy reading and golf even though I never find time for either. You can contact me directly at tony@xpective.net. For more from me, you can follow me on Threads, Facebook, Instagram and LinkedIn.
Related Post