Singapore Cybersecurity Agency Issues Alert on WordPress Plugin Vulnerability

A warning has been issued by the Cybersecurity Agency of Singapore (CSA) in relation to the WordPress plugin “Cryptocurrency Widgets – Price Ticker & Coins List”. An alert from the CSA states that versions 2.0 to 2.6.5 are vulnerable to SQL exploits through the use of the ‘coinslist’ argument.

According to the CSA, the vulnerability results from poor escape on user-supplied arguments and poor planning on pre-existing SQL queries. This vulnerability might enable unauthorized attackers to insert more SQL queries, increasing the possibility that private information could be taken from a website’s database.

Plugin Details and Developer Information

According to material on the WordPress website, Narinder Singh is credited as co-founding CryptocurrencyPlugins by CoolPlugins.net, and this is the plugin in dispute.

Though it has amassed more than 10,000 downloads and has a five-star rating from more than 150 reviews on WordPress’ marketplace, it is unclear exactly how many people are impacted. While the plugin’s page indicates that there has been an update to 2.6.6, it is unclear if this most recent version resolves the issue. CoolPlugins.net hasn’t made any public remarks on the situation as of yet.

A related incident from October 2023 was covered by crypto.news, which revealed a concerning pattern in which malevolent individuals used BNB Chain’s smart contracts to spread malware, specifically aimed at WordPress websites. Cybersecurity specialists warn that hackers might secretly incorporate dangerous scripts into smart contracts and turn them into free and covert platforms for hosting malicious activity by injecting code that can extract partial payloads from smart contracts.

Vigilance and proactive actions are essential to protect against new attacks and vulnerabilities as the cybersecurity landscape changes.