- Advertisement -

This WordPress crypto widget plugin can leak sensitive information


The Cyber Security Agency (CSA) of Singapore highlighted that a cryptocurrency widget plugin for the web development platform WordPress contains a vulnerability that can be used to extract sensitive information. 

A security bulletin released by the Singapore Cyber Emergency Response Team (SingCERT) alerted against the plugin named ‘The Cryptocurrency Widgets – Price Ticker & Coins List,’ marking it down for critical vulnerabilities.

SingCERT’s Security Bulletin summarizes the list of vulnerabilities in WordPress crypto widget. Source: csa.gov.sg

As shown above, the crypto widget received a 9.8/10 base score, placing it at ‘critical,’ the highest spectrum of vulnerabilities.

The National Vulnerability Database (NVD) — the U.S. government repository of standards-based vulnerability management data — explained that the WordPress crypto plugin is “vulnerable to SQL Injection via the ‘coinslist’ parameter in versions 2.0 to 2.6.5 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query.”

WordPress widget ‘Cryptocurrency Widgets – Price Ticker & Coins List plugin’ security risk. Source: nvd.nist.gov

The said vulnerability allows the extraction of sensitive information from the database by making it possible for unauthenticated attackers to append additional SQL queries into already existing queries.

According to the security firm CVE Program, the widget was provided by a vendor named ‘narinder-singh’ and versions 2.0 through 2.6.5 were found to carry the vulnerability.

Related: Bitcoin ATM flaw could’ve given hackers ‘total control’

On Dec. 9, the NVD flagged Bitcoin’s (BTC) inscriptions as a cybersecurity risk.

According to the database records, a datacarrier limit can be bypassed by masking data as code in some Bitcoin Core and Bitcoin Knots versions. “As exploited in the wild by Inscriptions in 2022 and 2023,” reads the document.

Bitcoin’s vulnerability listed in the Common Vulnerabilities and Exposures (CVE) System. Source: CVE Records.

On the NVD’s website, a recent post from Bitcoin Core developer Luke Dashjr on X (formerly Twitter) is featured as an information resource. Dashjr alleges that inscriptions exploit a Bitcoin Core vulnerability to spam the network. “I guess it’s like receiving junk mail that you have to sift through everyday to find the ones that are your contacts. It slows down the process,” a user wrote in the discussion.

Magazine: Real-life Doge at 18: Meme that’s going to the moon