The Cyber Security Agency (CSA) of Singapore has issued a warning about a critical vulnerability discovered in a cryptocurrency widget plugin for WordPress, which could potentially leak sensitive information. The plugin in question is called 'Cryptocurrency Widgets – Price Ticker & Coins List,' and it has been flagged for vulnerabilities by the Singapore Cyber Emergency Response Team (SingCERT).
The vulnerability, rated 9.8/10 on the severity scale, is attributed to SQL Injection via the 'coinslist' parameter in versions 2.0 to 2.6.5 of the plugin. This vulnerability arises due to insufficient escaping on user-supplied parameters and inadequate preparation on existing SQL queries. Attackers could exploit this flaw to insert additional SQL queries and extract sensitive data from the database.
The plugin, provided by a vendor named 'narinder-singh,' has been identified as carrying the vulnerability in versions 2.0 through 2.6.5. Users are advised to update to the latest version immediately to mitigate the risk of exploitation.
In related news, the National Vulnerability Database (NVD) flagged a cybersecurity risk associated with Bitcoin's inscriptions. Some versions of Bitcoin Core and Bitcoin Knots were found to have a bypassable datacarrier limit, potentially allowing attackers to mask data as code. This vulnerability has been exploited in the wild by threat actors known as Inscriptions in 2022 and 2023.
Bitcoin Core developer Luke Dashjr highlighted this vulnerability, noting that it could lead to network spamming by malicious actors. Users are urged to stay vigilant and apply patches or updates provided by the respective software vendors to protect against such vulnerabilities.