Cryptocurrency Widgets WordPress plugin vulnerable to SQL injection

published: Feb. 8, 2024

Take action: If you are using the "Cryptocurrency Widgets – Price Ticker & Coins List" for WordPress, patch ASAP.


Learn More

The Cyber Security Agency of Singapore (CSA) has issued a critical alert regarding a significant vulnerability in the "Cryptocurrency Widgets – Price Ticker & Coins List" plugin for WordPress.

The vulnerability is tracked as CVE-2024-0709 (CVSS score 9.8) is an Injection through the 'coinslist' parameter for plugin versions ranging from 2.0 to 2.6.5. The flaw arises from inadequate sanitization of user-supplied parameters and insufficient preparation of SQL queries, which could enable attackers to inject additional SQL commands and thereby extract sensitive data from the database.

Users and administrators of websites utilizing these versions are strongly recommended to update the plugin installation.

Cryptocurrency Widgets WordPress plugin vulnerable to SQL injection