Cyber security agency warns this WordPress widget might leak data

A WordPress crypto widget used by thousands could contain a security vulnerability that could leak data to potential attackers.

Cyber Security Agency (CSA) Singapore has released a security bulletin detailing a critical vulnerability in ‘Cryptocurrency Widgets – Price Ticker & Coins List’, leaving it potentially vulnerable to exposing user data. The security warning applies to versions 2.0 to 2.6.5 and, according to the CSA, centers around “insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query”.

Essentially, this means that there is an issue with how user input is handled within a software application or database, going against standard security best practices. The CSA warns that this WordPress widget could potentially allow unauthorized users to add extra SQL queries, with the risk of extracting sensitive information from a website’s database.

Considering the widget is centered around cryptocurrency, this could leave users’ wallets, finances, or other personal information vulnerable to attack. The plug-in itself has over 10,000 downloads, with no word yet on how many people could be affected.

This wouldn’t be the first time that hackers have used such security vulnerabilities to extract everything from partial payouts to smart contracts. Dangerous scripts can often go unnoticed for periods, leaving agencies like CSA Singapore to warn of potential vulnerabilities like this one.

What is ‘Cryptocurrency Widgets’?

Cryptocurrency Widgets is used to display coins price lists, tables, multi-currency tabs, and price labels on websites, lending itself well to crypto trading websites that offer overviews of the market. It updates regularly 24 hours a day to provide continual coverage for Bitcoin, Ethereum, and other popular cryptocurrencies.

At the time of writing, CoolPlugins (the creator of the widget) has not publicly commented on the issue. There is also currently an update for version 2.6.6, which should be protected against the security vulnerability.

Featured image: Pexels

Rachael Davis

Freelance Journalist

Rachael Davies
has spent six years reporting on tech and entertainment, writing for publications like the Evening Standard, Huffington Post, Dazed, and more. From niche topics like the latest gaming mods to consumer-faced guides on the latest tech, she puts her MA in Convergent Journalism to work, following avenues guided by a variety of interests. As well as writing, she also has experience in editing as the UK Editor of The Mary Sue , as well as speaking on the important of SEO in journalism at the Student Press Association National Conference. You can find her full portfolio over on Muck Rack or follow her on social media on X.

Source link

Related Articles