Just another Websupporter site

WP Slimstat security fix

On February the 24th the security blog Sucuri published a possible way for an SQL-injection using the WordPress Plugin WP Slimstat. This problem was found up to the version 3.5 of the plugin, which has over 100.000 active installations according to the WordPress repository statistics.

WP Slimstat is a famous web analytics plugin for WordPress:

Slimstat gives you meaningful insights into your website’s visitors. Track returning customers and registered users, monitor Javascript events, detect intrusions, analyze email campaigns


“camu”, author of the plugin reacted immediately to the possible thread and delivered an updated version 3.9.6 and 3.9.7, which fixed the vulnerability. In a reaction, the author said:

As soon as we received Marc’s [the author of the Sucuri blog post] email, we got to work to patch the vulnerability. We apologize for any inconvenience this may have caused, and we thank Sucuri for the thorough analysis they performed on our code.

So, how was it possible, to use WP Slimstat for an SQL injection? WP Slimstat ist using a secret key to sign data, which was sent between server and client. For this, it was using the timestamp, when the plugin was activated. Although this timestamp was hashed with md5, it was not to hard to guess. To find out the secret key, one just needs to generate thousands and thousands of hashed timestamps and check, whether this is the real secret key.

Once an attacker found out the real secret key, it was not to hard to start an SQL injection according the blog post written by Marc-Alexandre Montpas.

For everyone, who is running WP Slimstat 3.9.5 or lower: It is strongly recommended, to update this plugin immediately.

About the author

Seine erste Webseite hat David Remer 1998 in HTML verfasst. Wenig später war er fasziniert von DHTML und JavaScript. Nach jahrelanger Freelancerei arbeitete er zunächst für Inpsyde und ist heute Entwickler bei Automattic. Außerdem hat er das Buch "WordPress für Entwickler" verfasst.

Leave a Reply

Your email address will not be published.