The Cyber Security Agency of Singapore (CSA) has drawn attention to a vulnerability in the cryptocurrency widget plugin designed for the popular web development platform WordPress, emphasizing its potential to expose sensitive information. SingCERT, the Singapore Cyber Emergency Response Team, issued a security advisory flagging the plugin titled "Cryptocurrency Widget - Price Quotes and Coin List" for critical vulnerabilities. The plugin received a high base score of 9.8 out of 10, categorizing it as "Critical" due to the severity of the vulnerability.
Highlighted in the National Vulnerability Database (NVD), a repository for vulnerability management data maintained by the U.S. government, the WordPress cryptocurrency plugin is susceptible to SQL injection via the 'coinslist' parameter across versions 2.0 through 2.6.5. This vulnerability arises from inadequate preparation for user-supplied parameters and existing SQL queries, enabling unauthenticated attackers to inject additional SQL queries into the system and extract sensitive database information.
The vendor identified as "narinder-singh" provides the vulnerable plugin, with versions ranging from 2.0 to 2.6.5 identified as carrying the security flaw. The NVD flagged Bitcoin on December 9, 2023, citing it as a cybersecurity risk due to the vulnerability's exploitation potential. Certain versions of Bitcoin Core and Bitcoin Knots are susceptible to bypassing data carrier restrictions by disguising data as code, as exploited by Inscriptions in 2022 and 2023.
Inscriptions exploited a vulnerability within Bitcoin Core to inundate the network with spam, as detailed by Bitcoin Core developer Luke Dashjr in a recent post referenced on the NVD's website. Users discussed the impact of such spam, likening it to a hindrance that slows down network processes and requires sifting through unwanted messages to locate relevant contacts. This vulnerability underscores the ongoing need for robust cybersecurity measures to safeguard against potential exploits and protect sensitive data in digital environments.
