Over a million Wordpress sites at risk thanks to WP-Slimstat plugin

A critical flaw in the WP-Slimstat plugin could allow attackers to completely hijack vulnerable Wordpress sites.

Wordpress is one of the most popular Web publishing platforms. The vast catalog of plugins is part of what makes Wordpress so powerful, but it can also be the Achilles heel. According to security researchers at Sucuri there are a million-plus Wordpress sites exposed to serious risk, thanks to a flaw in the WP-Slimstat plugin.

WP-Slimstat vulnerable

The Sucuri blog post explains, "During a routine audit for our WAF [Web application firewall], we discovered a security bug that an attacker could, by breaking the plugin's weak "secret" key, use to perform a SQL Injection attack against the target website."

The blog goes on to explain that a successful exploit could allow the attacker to access or download sensitive information like usernames, encrypted passwords, and possibly Wordpress secret keys. Armed with the Wordpress secret keys, the attacker would be able to hijack the entire Wordpress site.

Sucuri sums up by stressing, "This is a dangerous vulnerability, you should update all of your websites using this plugin as soon as possible."

How much is a million?

Sucuri estimates that there are over a million Wordpress sites possibly at risk due to WP-Slimstat. That's a large number but in the grand scheme of things it's not that bad.

There are nearly 75 million Wordpress sites live on the Internet right now. Almost half of the Technorati Top 100 blogs run on Wordpress. The New York Times, CNN, and many other iconic Web destinations depend on Wordpress.

One of the primary benefits of the Wordpress platform is that there is almost guaranteed to be a plugin to do just about anything you can imagine doing on a website. There are almost 30,000 Wordpress plugins that have been downloaded a combined total of more than 286 million times. Against that massive backdrop, the one million or so vulnerable WP-Slimstat sites represent just over one percent of the total Wordpress base.

Be careful how you Wordpress

"The number one recommendation I can make with every WordPress install is to be absolutely sure that it isn't hosted on a machine that has access to anything of value," exclaimed Matt Johansen, senior manager of the Threat Research Center for WhiteHat Security. "Full stop. It is the Windows XP of the web and has a giant target on its back, front, and side."

According to Johansen, plugins are a double-edged sword. They extend the features and capabilities of Wordpress, but almost anyone can write and publish a plugin. There's no quality assurance and no vetting in place to ensure that the plugin works as advertised, and doesn't contain any security flaws or malware. You have to do some homework and make sure you're selecting plugins that are both functional and trusted.

Johansen said, "These boxes will get hacked and the best thing to do is make sure that if they do, that nothing but your blog is affected. Have backups so that you can just kill the infected machine and spin up a new blog ASAP."

If you're using the WP-Slimstat plugin you should follow Sucuri's advice and update your Wordpress site as soon as possible. Regardless of whether you're using the vulnerable plugin, this is a good time to take a look at the plugins you do have installed. Make sure they're updated and remove any plugins that you don't actively use.

Join the CSO newsletter!

Error: Please check your email address.

Tags Wordpress securitysecurityvulnerabilityWordpressSucuriexploitplug-in

More about CNN

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts