Yup… they nailed it.
If you're running WordPress and WP-Slimstat you need to make sure you get updated to version 3.9.6 immediately. Versions prior to the recently released Slimstat 3.9.6 contain a readily guessable key that's used to sign data sent to and from visiting end-user computers, according to a blog post published Tuesday by Web security firm Sucuri. The result is a SQL injection vector that can be used to extract highly sensitive data, including encrypted passwords and the encryption keys used to remotely administer websites.
Read more details here: http://blog.sucuri.net/2015/02/security-advisory-wp-slimstat-3-9-5-and-lower.html