A WordPress crypto widget used by thousands could contain a security vulnerability that could leak data to potential attackers.
Cyber Security Agency (CSA) Singapore has released a security bulletin detailing a critical vulnerability in ‘Cryptocurrency Widgets – Price Ticker & Coins List’, leaving it potentially vulnerable to exposing user data. The security warning applies to versions 2.0 to 2.6.5 and, according to the CSA, centers around “insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query”.
Essentially, this means that there is an issue with how user input is handled within a software application or database, going against standard security best practices. The CSA warns that this WordPress widget could potentially allow unauthorized users to add extra SQL queries, with the risk of extracting sensitive information from a website’s database.
Considering the widget is centered around cryptocurrency, this could leave users’ wallets, finances, or other personal information vulnerable to attack. The plug-in itself has over 10,000 downloads, with no word yet on how many people could be affected.
This wouldn’t be the first time that hackers have used such security vulnerabilities to extract everything from partial payouts to smart contracts. Dangerous scripts can often go unnoticed for periods, leaving agencies like CSA Singapore to warn of potential vulnerabilities like this one.
What is ‘Cryptocurrency Widgets’?
Cryptocurrency Widgets is used to display coins price lists, tables, multi-currency tabs, and price labels on websites, lending itself well to crypto trading websites that offer overviews of the market. It updates regularly 24 hours a day to provide continual coverage for Bitcoin, Ethereum, and other popular cryptocurrencies.
At the time of writing, CoolPlugins (the creator of the widget) has not publicly commented on the issue. There is also currently an update for version 2.6.6, which should be protected against the security vulnerability.
Featured image: Pexels