Login

Tag Archives: Slimstat Analytics

16 Mar 2023

Our Firewall Plugin Caught That Jetpack’s “Internal Audit” of Slimstat Analytics Missed That Vulnerability Still Exists

Recently Automattic’s Jetpack claimed to have done an “internal audit” of the WordPress plugin Slimstat Analytics and found an authenticated SQL injection vulnerability that was subsequently fixed. We don’t know what an internal audit is supposed to be, but they failed to fully test or check over the vulnerable code and the authenticated SQL injection vulnerability still exists (which isn’t that surprising, considering the discoverer is a former employee of Sucuri). They also missed another security issue in the relevant code, which helped lead to the vulnerability still existing. Interestingly, an in development feature of our firewall plugin caught that the issue hadn’t been fully resolved.

Another Automattic unit, WPScan, also missed that this wasn’t fully resolved: [Read more]

12 Sep 2019

Vulnerability Details: Reflected Cross-Site Scripting (XSS) in Slimstat Analytics

One of the changelog entries for a recent version of Slimstat Analytics is “[Fix] License keys for premium add-ons were not being saved as expected, due to a side effect of the new security features we implemented in the Settings.”. When we went to see if a previous version had introduced a security fix, when found, somewhat confusingly, that the new version was introducing a security fix.

[Read more]

22 May 2019

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Slimstat Analytics

Yesterday we detailed a persistent cross-site scripting (XSS) vulnerability in the plugin Slimstat Analytics and about the same time the discoverer of the vulnerability Sucuri had released a post with similar details, but notably silent about how the vulnerability was fixed. We are not sure why they didn’t include that, but it is important since the fix was less than ideal as instead of using the relevant WordPress escaping function the developer used code that did a more limited version of that function (yesterday we notified the developer that could be better handled). It is always a good idea to not to roll your own security code when you don’t need to, so what happened there might be a sign that the developer doesn’t have the best handle on dealing with the security of WordPress plugins.

That is further backed up by a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability we found in the plugin, which we noticed by chance while figuring out what versions were impacted by the other vulnerability so that we could let them know if versions of the plugin used on their websites were impacted. We noticed part of that vulnerability while looking at a fairly old version, so we suspected it would have been noticed and fixed by now considering the plugin has 100,000+ active installations according to wordpress.org, but that isn’t the case. [Read more]

21 May 2019

Vulnerability Details: Persistent Cross-Site Scripting (XSS) in Slimstat Analytics

Yesterday a new release of the plugin Slimstat Analytics included a changelog entry “[Fix] Addressed a remote XSS vulnerability disclosed by Sucuri/GoDaddy.”, but Sucuri doesn’t seem to have disclosed any vulnerability, so it isn’t clear what that referred to. In the subversion entry logged “Addressed a remote XSS vulnerability disclosed by Sucuri/GoDaddy” no code was changed. When we did a quick check over the code that was actually changed yesterday we were confused as to how what looks like it was related to that could be a vulnerability, but upon more thorough check we realized code that it was different code that related to that and the change made doesn’t seem ideal to address the persistent cross-site scripting (XSS) vulnerability in question.

[Read more]

1 Sep 2017

What Happened With WordPress Plugin Vulnerabilities in August 2017

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during August (and what you have been missing out on if you haven’t signed up yet): [Read more]

30 Aug 2017

Authenticated PHP Object Injection Vulnerability in Slimstat Analytics

We recently started proactively monitoring for evidence of some high risk vulnerabilities when changes are made to WordPress plugins and if we had more customers we could expand the proactive monitoring to more types of vulnerabilities. One of the types of vulnerabilities we are looking for are PHP object injection vulnerabilities since those are likely to be exploited if hackers become aware of them. Through that we came across an authenticated PHP object injection vulnerability in Slimstat Analytics.

The plugin normally only allows users with the “activate_plugins” capability, which would normally only be Administrators, to access the admin pages of the plugin, but in the settings it is possible to change the capability needed or to whitelist other users to be able to access them. There are two categories of pages that lower level users can be permitted access to reports and settings. Within what is accessible from either of those there has been a PHP object injection vulnerability. [Read more]