On February the 24th the security blog Sucuri published a possible way for an SQL-injection using the WordPress Plugin WP Slimstat. This problem was found up to the version 3.5 of the plugin, which has over 100.000 active installations according to the WordPress repository statistics.
WP Slimstat is a famous web analytics plugin for WordPress:
“camu”, author of the plugin reacted immediately to the possible thread and delivered an updated version 3.9.6 and 3.9.7, which fixed the vulnerability. In a reaction, the author said:
As soon as we received Marc’s [the author of the Sucuri blog post] email, we got to work to patch the vulnerability. We apologize for any inconvenience this may have caused, and we thank Sucuri for the thorough analysis they performed on our code.
So, how was it possible, to use WP Slimstat for an SQL injection? WP Slimstat ist using a secret key to sign data, which was sent between server and client. For this, it was using the timestamp, when the plugin was activated. Although this timestamp was hashed with md5, it was not to hard to guess. To find out the secret key, one just needs to generate thousands and thousands of hashed timestamps and check, whether this is the real secret key.
Once an attacker found out the real secret key, it was not to hard to start an SQL injection according the blog post written by Marc-Alexandre Montpas.
For everyone, who is running WP Slimstat 3.9.5 or lower: It is strongly recommended, to update this plugin immediately.