The Cyber Security Agency of Singapore (CSA) has highlighted that the cryptocurrency widget plug-in "Cryptocurrency Widgets – Price Ticker & Coins List" of the web development platform WordPress contains a critical vulnerability that can be used to extract sensitive information. According to the security company CVE Program, the plug-in is provided by a vendor named "narinder-singh" and versions 2.0 to 2.6.5 were found to carry the vulnerability.
The vulnerability described above allows an unauthenticated attacker to append additional SQL queries to an existing query, thereby extracting sensitive information from the database. The security advisory issued by the Singapore Cyber Emergency Response Team (SingCERT) rated the plug-in vulnerability 9.8/10, which is classified as "critical". (Cointelegraph)