Singapore’s cyber agency warns WordPress crypto widget might leak data

A crypto widget plugin for WordPress has a vulnerability that might expose sensitive data, Singapore’s cybersecurity agency warns.

The Cybersecurity Agency of Singapore (CSA) has issued a critical warning regarding the “Cryptocurrency Widgets – Price Ticker & Coins List” widget plugin for WordPress, saying versions 2.0 to 2.6.5 are vulnerable to SQL injections via the ‘coinslist’ parameter.

The vulnerability stems from insufficient escaping on user-supplied parameters and inadequate preparation on existing SQL queries, the CSA says. According to the agency, the flaw potentially allows unauthenticated attackers to inject additional SQL queries, potentially extracting sensitive information from a website’s database.

According to the WordPress website, the plugin has been provided by Narinder Singh, who is allegedly co-founder of CryptocurrencyPlugins by CoolPlugins.net.

WordPress’ marketplace shows the plugin developed by CoolPlugins.net has over 10,000 downloads with over 150 reviews giving it five stars, although it remains unclear how many users are affected by versions 2.0 to 2.6.5. While the plugin’s page indicates an update to version 2.6.6, it is uncertain whether the latest update addresses the vulnerability. As of press time, Cool Plugins has not commented on the issue publicly.

In October 2023, crypto.news reported that bad actors have started using BNB Chain‘s smart contracts to distribute malware, targeting websites made with WordPress. By injecting code that extracts partial payloads from smart contracts, hackers can covertly embed dangerous scripts, effectively using smart contracts as anonymous and free hosting platforms for malicious activities, cybersecurity analysts warn.