A critical vulnerability has been identified in the “Cryptocurrency Widgets – Price Ticker & Coins List” plugin for WordPress, spanning versions 2.0 through 2.6.5, according to the CVE Program security firm.
SingCERT, the Cyber Security Agency of Singapore, issued a warning regarding the vulnerability, which allows for the extraction of sensitive information. The plugin, marked as having critical vulnerabilities, received a base score of 9.8/10, signifying its severity.
The National Vulnerability Database (NVD) explained that the plugin is susceptible to SQL Injection via the ‘coinslist’ parameter due to insufficient parameter escaping and query preparation. This vulnerability enables unauthorized attackers to append additional SQL queries, potentially compromising the database’s security.
Provided by vendor “narinder-singh,” the vulnerable versions of the plugin (2.0 through 2.6.5) are at risk. The exploit has been documented in Bitcoin Core and Bitcoin Knots versions, allowing attackers to bypass data carrier limits by disguising data as code.
Bitcoin’s vulnerability, listed in the Common Vulnerabilities and Exposures (CVE) System, has been discussed by Bitcoin Core developer Luke Dashjr, who highlights the impact of spamming the network. This exploit slows down processes and disrupts user experiences, as noted in community discussions.