The Cyber Security Agency of Singapore (CSA) has issued a warning regarding a vulnerability found in a cryptocurrency widget plugin designed for the popular web development platform WordPress. SingCERT, the Singapore Cyber Emergency Response Team, released a security bulletin identifying the plugin titled “The Cryptocurrency Widgets – Price Ticker & Coins List” as having critical vulnerabilities.
The plugin received a high severity rating, with a base score of 9.8 out of 10, categorizing it as “critical” on the vulnerability spectrum. This assessment underscores the seriousness of the security flaw.
According to the National Vulnerability Database (NVD), the WordPress cryptocurrency plugin is susceptible to SQL Injection via the ‘coinslist’ parameter in versions 2.0 to 2.6.5. The vulnerability arises from insufficient escaping on the user-supplied parameter and a lack of preparation on the existing SQL query. Exploiting this vulnerability enables unauthenticated attackers to extract sensitive information from the database by injecting additional structured query language (SQL) queries.
The widget in question was created by a vendor identified as “narinder-singh.” Versions 2.0 through 2.6.5 of the plugin have been confirmed to contain the vulnerability.
On December 9, 2023, the NVD flagged Bitcoin (BTC) ticker data as a cybersecurity risk due to a data carrier limit bypass vulnerability present in certain versions of Bitcoin Core and Bitcoin Knots. This vulnerability, exploited by Inscriptions in 2022 and 2023, allows attackers to mask data as code, circumventing the data carrier limit.
Bitcoin Core developer Luke Dashjr has commented on the exploitation of the vulnerability by Inscriptions, noting its adverse effects on the Bitcoin network. The spamming of the network slows down transactions, analogous to receiving unwanted junk mail that must be sifted through to find legitimate messages, as described by a user in the discussion.
Get $200 Free Bitcoins every hour! No Deposit No Credit Card required. Sign Up