Over 100,000 WordPress Websites Affected by XSS and SQLi Vulnerabilities in Slimstat Analytics Plugin
On August 24, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) and a Blind SQL Injection vulnerability in the Slimstat Analytics plugin, which is actively installed on more than 100,000 WordPress websites. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages or execute SQL queries by appending them to an existing SQL query using the plugin’s shortcode.
All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting and SQL Injection protection.
We contacted VeronaLabs on August 24, 2023, and we received a response on the same day. After providing full disclosure details, the developer released a patch on August 28, 2023. We would like to commend VeronaLabs for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of Slimstat Analytics, version 5.0.10 at the time of this writing, as soon as possible.
Vulnerability Summary from Wordfence Intelligence
Description: Slimstat Analytics 0 // offset for counters
), $_attributes);
line 724
$output=’
- ‘ . implode(”, $output) . ‘
‘;
The slimstat_shortcode method snippet in the wp_slimstat class
This makes it possible for threat actors with contributor-level access to a site to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page. While this vulnerability does require that a trusted contributor account is compromised, or that a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.
Further examining the code, we also found a SQL Injection vulnerability within the same shortcode. Although the ‘w’ parameter will be converted into an array, it is not properly sanitized. This parameter is used for the column in the database query, and although the prepare function is used, the column is not specified as a placeholder, which makes it possible for an attacker to perform SQL injection attacks.
$w=self::string_to_array($w);The slimstat_shortcode method snippet in the wp_slimstat class
public static function get_top($_column='id', $_where='', $_having='', $_use_date_filters=true, $_as_column='')
{
// This function can be passed individual arguments, or an array of arguments
if (is_array($_column)) {
$_where =!empty($_column['where']) ? $_column['where'] : '';
$_having =!empty($_column['having']) ? $_column['having'] : '';
$_use_date_filters=!empty($_column['use_date_filters']) ? $_column['use_date_filters'] : true;
$_as_column =!empty($_column['as_column']) ? $_column['as_column'] : '';
$_column =$_column['columns'];
}
$group_by_column=$_column;
if (!empty($_as_column)) {
$_column="$_column AS $_as_column";
} else {
$_as_column=$_column;
}
$_where=self::get_combined_where($_where, $_as_column, $_use_date_filters);
// prepare the query
$sql=$GLOBALS['wpdb']->prepare("
SELECT $_column, COUNT(*) counthits
FROM {$GLOBALS['wpdb']->prefix}slim_stats
WHERE $_where
GROUP BY $group_by_column $_having
ORDER BY counthits DESC
LIMIT 0, %d", self::$filters_normalized['misc']['limit_results']);
return self::get_results($sql, ((!empty($_as_column) && $_as_column !=$_column) ? $_as_column : $_column),
'counthits DESC', ((!empty($_as_column) && $_as_column !=$_column) ? $_as_column : $_column),
'SUM(counthits) AS counthits');
}The get_top method in the wp_slimstat_db class
Since no data from the SQL query was returned in the response, an attacker would need to use a Time-Based blind approach to extract information from the database. This means that they would need to use SQL CASE statements along with the SLEEP() command while observing the response time of each request to steal information from the database. This is an intricate, yet frequently successful method to obtain information from a database when exploiting SQL Injection vulnerabilities.
Disclosure Timeline
August 24, 2023 – Wordfence Threat Intelligence team discovers the stored XSS and SQL Injection vulnerabilities in Slimstat Analytics.
August 24, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
August 26, 2023 – The vendor confirms the inbox for handling the discussion.
August 26, 2023 – We send over the full disclosure details for the XSS vulnerability.
August 27, 2023 – We send over the full disclosure details for the SQL injection vulnerability.
August 27, 2023 – The vendor acknowledges the report and begins working on a fix.
August 28, 2023 – The fully patched version, 5.0.10, is released.
Conclusion
In this blog post, we have detailed stored XSS and SQL Injection vulnerabilities within the Slimstat Analytics plugin affecting versions 5.0.9 and earlier. This vulnerability allows authenticated threat actors with contributor-level permissions or higher to inject malicious web scripts into pages that execute when a user accesses an affected page, and extract sensitive information from a database. These vulnerabilities have been fully addressed in version 5.0.10 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of Slimstat Analytics.
All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.
Source: wordfence.com
