This WordPress crypto widget plugin can leak sensitive information

Avatar

The Cyber Security Agency of Singapore (CSA) highlighted that a cryptocurrency widget plugin for the web development platform WordPress contains a vulnerability that can be used to extract sensitive information. 

A security bulletin released by the Singapore Cyber Emergency Response Team (SingCERT) alerted against the plugin named “The Cryptocurrency Widgets – Price Ticker & Coins List,” marking it down for critical vulnerabilities.

SingCERT’s Security Bulletin summarizes the list of vulnerabilities in the WordPress crypto widget. Source: csa.gov.sg

As shown above, the crypto widget received a 9.8/10 base score, placing it at “critical,” which is the highest on the spectrum of vulnerabilities.

The National Vulnerability Database (NVD) — the United States government repository of standards-based vulnerability management data — explained that the WordPress crypto plugin is “vulnerable to SQL Injection via the ‘coinslist’ parameter in versions 2.0 to 2.6.5 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query.”

WordPress widget “Cryptocurrency Widgets – Price Ticker & Coins List plugin” security risk. Source: nvd.nist.gov

The said vulnerability allows the extraction of sensitive information from the database by making it possible for unauthenticated attackers to append additional structured query language (SQL) queries into already existing queries.

According to the security firm CVE Program, the widget was provided by a vendor named “narinder-singh,” and versions 2.0 through 2.6.5 were found to carry the vulnerability.

Related: Bitcoin ATM flaw could’ve given hackers ‘total control’

On Dec. 9, 2023, the NVD flagged Bitcoin (BTC) inscriptions as a cybersecurity risk.

According to the database records, a data carrier limit can be bypassed by masking data as code in some Bitcoin Core and Bitcoin Knots versions. “As exploited in the wild by Inscriptions in 2022 and 2023,” reads the document.

Bitcoin’s vulnerability is listed in the Common Vulnerabilities and Exposures (CVE) System. Source: CVE Records

The NVD’s website features a recent X post from Bitcoin Core developer Luke Dashjr as an information resource. Dashjr alleges that inscriptions exploit a Bitcoin Core vulnerability to spam the network. “I guess it’s like receiving junk mail that you have to sift through every day to find the ones that are your contacts. It slows down the process,” a user wrote in the discussion.

Magazine: Real-life Doge at 18: Meme that’s going to the moon