Crypto Widget WordPress Plugin Flagged as “Critical” Cybersecurity Risk
A crypto widget plugin for the web content management system WordPress was named as a “critical cybersecurity risk” yesterday.
A security bulletin released by the Cyber Security Agency of Singapore (CSA) noted that a plugin, called “The Cryptocurrency Widgets – Price Ticker & Coins List” has been identified as a cybersecurity risk and could potentially be exploited to extract sensitive information.
The crypto widget obtained a base score of 9.8/10, placing it in the “critical” group of vulnerabilities the CSA uses to refer to vulnerabilities with a minimum score of 9/10.
The National Vulnerability Database (NVD), the U.S. government repository for standards-based vulnerability management data, said that the WordPress crypto plugin is susceptible to SQL Injection through the ‘coinslist’ parameter in versions 2.0 to 2.6.5.
This vulnerability arose from insufficient escaping on the user-supplied parameter and inadequate preparation on the existing SQL query. It permitted the extraction of sensitive information from the database, enabling unauthenticated attackers to add additional structured language queries to the existing ones.
According to the security firm CVE Program, the widget was supplied by a vendor identified as “narinder-singh,” and versions 2.0 through 2.6.5 were identified as containing the vulnerability.