Critical flaw in WordPress plugin affecting as many as one million sites

Slimstat plugin affected

WordPress logo

Over one million WordPress websites have been thrown open to being completely hijacking thanks to a critical vulnerability in a widely used plugin.

First discovered by security outfit Sucuri, the problem concerns an easily guessable key in the WP-Slimstat plugin that results in an SQL injection vector that makes it incredibly easy to pilfer sensitive data such as encrypted passwords and keys.

All versions of the plugin prior to the recently released Slimstat 3.9.6 contain the key and with the plugin downloaded some 1.3 million times there's scope for the issue to be a large one, however, the number of sites affected is thought to be a lot lower than that.

A drop in the ocean

That number is a drop in the ocean in terms of the total numbers of sites on the WordPress platform that stands at almost 75 million and includes reputable blogs from the likes of the New York Times, CNN and many more.

Sucuri has advised all WordPress users to updated their sites as soon as possible and the security firm was the same one that found a flaw in WordPress code last year that allowed attackers to use over 100,000 WordPress sites to launch DDoS attacks

Via: Ars Technica

Article continues below