If you use WP Slimstat, you’ll want to make sure you’re using version 3.9.6 or later as Sucuri has discovered a severe SQL injection vulnerability in versions 3.9.5 and lower. WP Slimstat is an analytics plugin for WordPress that provides real-time monitoring, heatmaps, and other features to monitor website data. According to Sucuri, the vulnerability can be used by any visitor browsing a vulnerable website:
This bug can be used by any visitor browsing the vulnerable website. If your website uses a vulnerable version of the plugin, you’re at risk. Successful exploitation of this bug could lead to Blind SQL Injection attacks, which means an attacker could grab sensitive information from your database, including username, (hashed) passwords and, in certain configurations, WordPress Secret Keys (which could result in a total site takeover).
Although the author has patched the security vulnerability, he offers some additional advice.
If you are using a caching plugin, please flush its cache so that the tracking code can be regenerated with the new key. Also, if you are using Slimstat to track external websites, please make sure to replace the tracking code with the new one available under Settings > Advanced.
Spread the news and to be protected from the vulnerability, make sure any site using WP Slimstat is updated to the latest version.