Singapore’s Cybersecurity Agency Raises Alarm Over Vulnerable Crypto Widget

Critical Warning Issued

The Cybersecurity Agency of Singapore (CSA) has recently highlighted a critical security flaw in the popular WordPress add-on, the “Cryptocurrency Widgets – Price Ticker & Coins List”. Targeting versions 2.0 through 2.6.5, the plugin is at risk of SQL injection attacks due to a vulnerability in the ‘coinslist’ parameter.

Technical Flaw Details

Investigations reveal that the vulnerability is a result of insufficient data sanitization for user inputs coupled with improperly secured SQL queries. This oversight allows attackers, even without authentication, to perform SQL query injections that could compromise a site’s database and leak sensitive data.

Plugin Popularity and User Risk

Developed by Narinder Singh, co-founder of CryptocurrencyPlugins at CoolPlugins.net, the widget boasts over 10,000 downloads and numerous positive reviews on WordPress’ marketplace. The extent of the risk to users of the compromised versions remains unknown, and despite an update to version 2.6.6, it is not confirmed if this version rectifies the security issues. CoolPlugins has yet to issue a statement on this matter.

Previous WordPress and Crypto Security Concerns

October of the previous year saw reports from crypto.news about malicious actors exploiting BNB Chain’s smart contracts to spread malware across WordPress sites. These cybercriminals would insert code to retrieve malware fragments from smart contracts, thereby stealthily embedding harmful scripts. This tactic turns smart contracts into de facto anonymous and cost-free hosts for their malicious payloads, posing a serious threat to web security, as per cybersecurity experts.