Yesterday, the Cyber Security Agency of Singapore (CSA) highlighted a significant cybersecurity concern regarding a crypto widget plugin designed for the WordPress web content management system. The plugin in question, known as “The Cryptocurrency Widgets – Price Ticker & Coins List,” has been flagged as a potential vulnerability capable of exposing sensitive information.
According to a security bulletin released by the CSA, the plugin received a base score of 9.8 out of 10, categorizing it as a “critical” risk. This places it within the highest tier of vulnerabilities, defined by the CSA as those scoring a minimum of 9 out of 10.
The Crypto Widget Plugin’s Vulnerabilities
The National Vulnerability Database (NVD), which serves as the U.S. government repository for standards-based vulnerability management data, has identified a critical vulnerability within the WordPress crypto plugin. Specifically, versions 2.0 to 2.6.5 of the plugin are susceptible to SQL Injection through the ‘coinslist’ parameter.
This vulnerability stems from inadequate handling of user-supplied input within the parameter, coupled with insufficient preparation of the existing SQL query. As a result, attackers can exploit this flaw to extract sensitive information from the database. Furthermore, unauthenticated attackers can inject additional structured language queries alongside the existing ones.
Security firm CVE Program attributes the affected widget to a vendor named “narinder-singh,” with versions 2.0 through 2.6.5 confirmed to contain the vulnerability.
Cybersecurity Risks Plaguing Crypto
Security vulnerabilities are increasingly prevalent within the crypto industry, as evidenced by a recent incident involving Bitcoin ATM manufacturer Lamassu Industries. Just two weeks ago, the company addressed a critical vulnerability that, if exploited, could have granted hackers complete control over its Bitcoin ATMs.
Gabriel Gonzalez, Director of Hardware Security at IOActive, brought attention to the vulnerability, noting that it had the potential to allow hackers to empty all funds from the ATM and manipulate the note reader to display inaccurate deposit amounts.
The vulnerability came to light when a team of ethical hackers from the security firm IOActive conducted tests on Lamassu’s Bitcoin ATMs in 2023. Through their efforts, they uncovered and exploited multiple vulnerabilities, ultimately gaining full control over the ATMs.