The Hacker News is reporting a major vulnerability with the popular SlimStat Analytics plugin for WordPress. The plug-in uses an encryption method for obscuring and encrypting data in transit as it goes from your visitor’s computers to your website. That encryption uses a “secret key” – effectively a password – to encrypt that data.
The problem lies with that key. The key is nothing more than the date you installed the plugin. Anyone with that knowledge in your organization – or FORMERLY in your organization – can easily use that key to not only change the analytics data, but actually break into your site and do malicious things using an attack known as SQL injection. Even people not affiliated with your organization can find the date out simply by using a service like the WayBack Machine at Internet Archive.
WordPress plugins have access to the WordPress back-end of your site. Which means an insecure plug-in can actually make your whole site vulnerable to being deleted, changed or otherwise manipulated. An SQL injection involves a properly crafted line of code could even delete all your users so you couldn’t get back into your website to fix it.
What To Do:
When updates are available for any plugin, you should upgrade immediately. Many times, a plugin update contains important security fixes that are crucial, as in the case with the SlimStat plugin today. Typically, the announcement of a security update includes how to exploit the vulnerability, as well. Security blog, Securi, published the full exploit on the SlimStat plugin yesterday. This gives knowledge and courage to the would-be hackers to go out and find sites to attack.
You’ll know simply by logging into WordPress and looking for little icons with numbers like in the images below. These indicate updates are available.
Simply click the update link, select all the updates and click the Update Plugins button. It’s that simple and even more important.
Go – update your site and keep it that way.