According to Cointelegraph: Security firm CVE Program has identified a critical flaw in the "Cryptocurrency Widgets – Price Ticker & Coins List plugin" for WordPress, a widely used web development platform. Versions 2.0 to 2.6.5 of this widget have been flagged for a vulnerability that could expose sensitive information.
According to the National Vulnerability Database (NVD) — a vulnerability management data repository of the U.S. government — the plugin is susceptible to SQL Injection. This flaw, associated with the 'coinslist' parameter, is due to insufficient measures taken during user-supplied parameter escaping and poor SQL query preparation in versions 2.0 to 2.6.5. As a result, unauthenticated attackers can append additional SQL queries into pre-existing ones, revealing sensitive data from databases.
The plugin, provided by vendor "Narinder-singh", scored a high 9.8/10 on the vulnerability base score, categorizing it as a "critical" threat.
On a related note, the NVD also highlighted Bitcoin tickers as a cybersecurity risk on Dec 9, 2023. Certain versions of Bitcoin Core and Bitcoin Knots were found to allow data carrier limits bypass by cloaking data as code. Mentioned as exploited in the wild during 2022 and 2023, this issue slows down network efficiency, similar to receiving and sifting through junk mail daily, as per a user's analogy.
Wilfred
