The Cyber Security Agency of Singapore (CSA) highlighted that a cryptocurrency widget plugin for the web development platform WordPress contains a vulnerability that can be used to extract sensitive information. 

A security bulletin released by the Singapore Cyber Emergency Response Team (SingCERT) alerted against the plugin named “The Cryptocurrency Widgets – Price Ticker & Coins List,” marking it down for critical vulnerabilities.

As shown above, the crypto widget received a 9.8/10 base score, placing it at “critical,” which is the highest on the spectrum of vulnerabilities.

The National Vulnerability Database (NVD) — the United States government repository of standards-based vulnerability management data — explained that the WordPress crypto plugin is “vulnerable to SQL Injection via the ‘coinslist’ parameter in versions 2.0 to 2.6.5 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query.”

The said vulnerability allows the extraction of sensitive information from the database by making it possible for unauthenticated attackers to append additional structured query language (SQL) queries into already existing queries.

According to the security firm CVE Program, the widget was provided by a vendor named “narinder-singh,” and versions 2.0 through 2.6.5 were found to carry the vulnerability.

On Dec. 9, 2023, the NVD flagged Bitcoin BTC $44,717 inscriptions as a cybersecurity risk.

According to the database records, a data carrier limit can be bypassed by masking data as code in some Bitcoin Core and Bitcoin Knots versions. “As exploited in the wild by Inscriptions in 2022 and 2023,” reads the document.

The NVD’s website features a recent X post from Bitcoin Core developer Luke Dashjr as an information resource. Dashjr alleges that inscriptions exploit a Bitcoin Core vulnerability to spam the network. “I guess it’s like receiving junk mail that you have to sift through every day to find the ones that are your contacts. It slows down the process,” a user wrote in the discussion.

Source