One of the most popular WordPress
plugin, WP-Slimstat plugin website traffic statistics in real time was traced to the presence of high-risk vulnerabilities, affecting more than 1 million of the global website.
Science: understanding WP-Slimstat
WP-Slimstat full name Wettable Powder Slimstat, WordPress is the most popular web site traffic statistics plug in. A total of 70 million of the world’s use of WordPress to build the site, which has more than 1 million 300 thousand of the use of WP-Slimstat plug-in.
WP SlimStat is a very powerful real-time statistical analysis WordPress plug-in, a large number of features, but also a Chinese package, very convenient to use. Its features include:
real time network analysis report
compatible W3 Cache Total plug-in
flexible and convenient management interface (you can customize the mobile, hidden module)
comply with European privacy law (IP Anonymizer)
the most accurate IP location, browser and platform detection
can view the analysis data (IP address, browser, search word, user, and other) through multiple filters
can be added to specific users to view and manage permissions
all previous versions of 3.9.6 WP-Slimstat contain a simple, predictable key that is used by WP-Slimstat to mark the site’s visitors. As long as the key is compromised, the attacker can inject SQL (blind note) to attack the target site to obtain sensitive database information, including user name, password (hash) and critical WordPress security keys.
WP-Slimstat key is only the plug-in installation time stamp (MD5 hash version), such as Internet and Archive this "web time machine" can help an attacker more easily guess time plug-in installation. To this end, the attacker needs to pay 30 million guessing test, and for the popular CPU, the magnitude of the violence will only take about 10 minutes.
security experts recommend the use of all the popular plug-in upgrade as soon as possible.