A crypto widget plugin for the web content management system WordPress was named as a “critical cybersecurity risk” yesterday.
A security bulletin released by the Cyber Security Agency of Singapore (CSA) noted that a plugin, called “The Cryptocurrency Widgets – Price Ticker & Coins List” has been identified as a cybersecurity risk and could potentially be exploited to extract sensitive information.
The crypto widget obtained a base score of 9.8/10, placing it in the “critical” group of vulnerabilities the CSA uses to refer to vulnerabilities with a minimum score of 9/10.
The Crypto Widget Plugin’s Vulnerabilities
The National Vulnerability Database (NVD), the U.S. government repository for standards-based vulnerability management data, said that the WordPress crypto plugin is susceptible to SQL Injection through the ‘coinslist’ parameter in versions 2.0 to 2.6.5.
This vulnerability arose from insufficient escaping on the user-supplied parameter and inadequate preparation on the existing SQL query. It permitted the extraction of sensitive information from the database, enabling unauthenticated attackers to add additional structured language queries to the existing ones.
According to the security firm CVE Program, the widget was supplied by a vendor identified as “narinder-singh,” and versions 2.0 through 2.6.5 were identified as containing the vulnerability.
Cybersecurity Risks Plaguing Crypto
Security vulnerabilities are becoming increasingly common in the crypto industry. Two weeks ago, Bitcoin ATM manufacturer Lamassu Industries addressed a vulnerability that, if exploited, could have provided hackers with “full control” over its Bitcoin ATMs.
Gabriel Gonzalez, Director of Hardware Security at IOActive, reported that the exploited vulnerabilities could have allowed the hackers to empty all funds from the ATM and manipulate the note reader to display inaccurate deposit amounts.
The vulnerability was discovered when a team of ethical hackers from the security firm IOActive attempted to compromise Lamassu’s Bitcoin ATMs in 2023. The researchers identified and exploited multiple vulnerabilities, ultimately gaining full control over the ATMs.
Read the full article here