A Warning from Singapore’s Cybersecurity Agency
A vulnerability in a popular crypto widget plugin for WordPress has been identified by Singapore’s cybersecurity agency. The Cybersecurity Agency of Singapore (CSA) has issued a critical warning about the “Cryptocurrency Widgets – Price Ticker & Coins List” plugin, specifically versions 2.0 to 2.6.5, which are susceptible to SQL injections via the ‘coinslist’ parameter.
The Vulnerability and Potential Risks
The vulnerability arises from inadequate preparation on existing SQL queries and insufficient escaping on user-supplied parameters. As a result, unauthenticated attackers could inject additional SQL queries and potentially access sensitive information stored in a website’s database.
About the Plugin
The plugin, provided by Narinder Singh and allegedly co-founded by CryptocurrencyPlugins by CoolPlugins.net, has gained popularity with over 10,000 downloads and positive reviews on WordPress’ marketplace. However, it is unclear how many users are affected by the vulnerable versions (2.0 to 2.6.5) or if the latest update (version 2.6.6) addresses the security flaw. Cool Plugins has not yet commented on the issue publicly.
Previous Exploitations in WordPress
In October 2023, it was reported that cybercriminals were using BNB Chain’s smart contracts to distribute malware, targeting WordPress websites. By injecting code into smart contracts, hackers can secretly embed dangerous scripts, utilizing smart contracts as anonymous and free hosting platforms for malicious activities.
By
By
By
By
By