Vulnerability in WP-Slimstat plugin 3.9.5 and below for WordPress

Users of the WP-Slimstat plugin version 3.9.5 and below should upgrade as soon as possible! During the next security audit, we discovered a security error, due to which an attacker could obtain the “secret” key of the plug-in and, thus, implement a SQL injection.

Successful implementation of this bug can lead to attacks like “blind sql injection” (Blind SQL-Injection), which will allow an attacker to obtain data from the database, including the username, password hash, and in some configurations and secret keys of WordPress itself (full control of the site).
')
WP-Slimstat uses a “secret” key to sign data sent from / to the client. Looking at how this key is generated, it can be concluded that it is easy for an attacker to recognize it:


The hash from the time when the plugin was installed is used as a “secret” key. An attacker could use sites such as, for example, Internet Archive , to find out the approximate time of site creation (after this there are approximately 30 million values ​​to check that for modern CPUs it will take about 10 minutes).

To be able to perform brute force, you only need to get valid and signed data from the plugin. They are easy to find in different fragments of generated web pages:


At first glance, this may seem complicated, but, looking at how this data structure is used in the plugin, you can follow a simple way of signing data and hashing a composite string consisting of payload and a “secret” token:


Knowing this information, an attacker can brutalize timestamps until he receives the same signature as the site he attacked.

During the investigation, we were able to establish that we can pass arbitrary data when calling unserialize () , which will later be passed to the maybe_insert_row () method via the $ content_info variable:




Given that we control $ _data , we can add an associative array to it, whose indexes are SQL expressions, for example:

array(“1=sleep(100)–“=>”1″) 

This ability to perform any requests allows an attacker to get any data from the database. This is a dangerous vulnerability and you should update the plugin as soon as possible.