Vulnerability in WordPress Slimstat Plugin Puts 1.3 Million Sites at Risk

Due to a weakness in the WP-Slimstat plugin, a high security vulnerability has been discovered in the popular web publishing platform, WordPress. The discovery, which was made by the security researchers at Sucuri, has put over a million WordPress sites at a huge risk.

What does the WP-Slimstat plugin do?

Slimstat is a free SEO plugin for WordPress. The analytics plugin offers real-time statistics, server latency, heatmaps, email reports, and other tools to monitor website data. It is also compatible with a variety of caching plugins.

What are the risks?

According to the Sucuri blog, the vulnerability was revealed in version 3.9.5 of WP-Slimstat  during an audit for its Web Application Firewall (WAF). Upon cracking the plugin’s security key, an attacker could exploit the bug to carry out an SQL injection attack against any site that has the plugin installed.

A successful exploitation of the bug could lead to the attacker gaining access to personal information from the site’s database, such as usernames, passwords, and WordPress security keys. With the security key in hand, the attacker could then gain full control over the WordPress site.

What percentage of sites are affected?

WordPress is a massive platform, and there are around 30,000 plugins that perform various functions for websites. WP-Slimstat is one of those plugins, and when looking at the larger picture, the vulnerability only affects a little over one percent of the total WordPress user base. That said, over one million WP-Slimstat users being at risk is no laughing matter.

What should affected users do?

The Sucuri blog recommends that users who have WP-Slimstat version 3.9.5 or lower installed should immediately update to version 3.9.6 or above.

Furthermore, those using a caching plugin should flush its cache, so that the tracking code may be regenerated with the new key. If, for some reason, the update cannot be performed, Sucuri recommends that users should look into its WAF product.