A vulnerability in a WordPress plugin designed for cryptocurrency widgets has raised concerns over the potential leakage of sensitive information.
Warns About Plugins Safety (Wordpress)
The plugin in question, “Cryptocurrency Widgets – Price Ticker & Coins List,” has been identified by the Cyber Security Agency of Singapore (CSA) as carrying a critical vulnerability across versions 2.0 through 2.6.5.
SingCERT, the Singapore Cyber Emergency Response Team, issued a security bulletin warning about the plugin’s susceptibility to exploitation. Rated at a base score of 9.8 out of 10 by the National Vulnerability Database (NVD), the plugin’s vulnerability lies in its handling of user-supplied parameters. Specifically, the ‘coinslist’ parameter is vulnerable to SQL injection attacks due to insufficient escaping and preparation on existing SQL queries.
This SQL injection vulnerability enables attackers to extract sensitive information from the database by injecting additional SQL queries, even without authentication. The plugin, attributed to a vendor named “Narinder-Singh,” has been identified as problematic in versions 2.0 through 2.6.5 by the security firm CVE Program.