Users are urged to upgrade to version 3.9.6 immediately due to the severity of the issue.
Users are urged to upgrade to version 3.9.6 immediately due to the severity of the issue.

A popular WordPress plugin that has more than 1.3 million downloads contains a vulnerability that can be exploited to perform SQL injection attacks against vulnerable websites, according to researchers with Sucuri, who consider the issue to be a very high security risk.

The vulnerability exists in versions 3.9.5 and lower of the Slimstat web analytics plugin for WordPress, Marc-Alexander Montpas, senior vulnerability researcher with Sucuri, wrote in a Tuesday blog post. He urged all users to upgrade to version 3.9.6 immediately due to the severity of the issue.

Montpas told SCMagazine.com in a Wednesday email correspondence that the vulnerability can be used to perform SQL injection attacks and, subsequently, to obtain any information from a vulnerable website's database. One could, for example, obtain a list of all usernames and hashed passwords, he said.

“Under certain configurations, [one could] grab WordPress Secret Keys to exploit weakness amongst other plugins,” Montpas said, explaining that “a common mistake plugin developers make is relying only on “nonce checks” functions to validate a user's right to perform a specific action, something that can be easily bypassed if an attacker manages to get his hands on these keys.”

The root cause of the issue is in the way the “secret” token – which is used by the plugin to sign data sent to and from the client – is generated, Montpas wrote. In versions 3.9.5 and lower, the “secret” key is a hashed version of the plugin's installation timestamp, which could ultimately be bruteforced using certain accessible information, he wrote.

To fix the issue in version 3.9.6, the Slimstat developers changed the way the “secret” token is generated.

“It is now generated using a mix of PHP's uniqid() and WordPress wp_hash() functions, which solves the issue not only by adding some actual randomness to the token but also by making it extremely hard for somebody to guess the resulting hash,” Montpas said.