A serious vulnerability in a popular WordPress plugin could allow hackers to take control of cryptocurrency-oriented websites. This vulnerability could create opportunities for malicious actors to insert fraudulent pages, fake wallet links, and harmful redirects.
Although this vulnerability does not affect wallet systems or token contracts, it exposes the interface infrastructure that users rely on to safely interact with cryptocurrency services. Despite the plugin being patched, tens of thousands of websites remain unprotected, running older versions.
The Fraud Potential of a WordPress Plugin
Cryptocurrency criminals are on the rise, and many unexpected methods can lead to new fraud attacks. For example, a recent report from Patchstack, a digital security company, reveals a new WordPress vulnerability that could enable new cryptocurrency fraud.
"Post SMTP plugin, with over 400,000 installations, is an email sending plugin. In versions 3.2.0 and below, the plugin is vulnerable to multiple Broken Access Control vulnerabilities in its REST API endpoints... allowing any registered user (including Subscriber-level users, who should not have any permissions) to perform various actions," the report stated.
These functions include viewing email quantity statistics, resending emails, and viewing email log details, including entire email content.
A WordPress hacker could use this vulnerability to intercept password reset emails, potentially taking control of administrator accounts.
Multiple Crypto Targets
So, how could this WordPress vulnerability lead to cryptocurrency fraud? Unfortunately, the possibilities are endless. Fake customer support emails have played a crucial role in many recent fraud attacks, so limited email control is already dangerous.
A WordPress-compromised website can insert fake tokens and fraudulent websites into external links using malicious scripts and redirects.
Hackers can collect passwords and attempt to use them on exchange lists. They might even insert malware for users opening a specific page.
Is My Wallet Safe?
Outwardly, most cryptocurrency wallets and token platforms do not use WordPress for their core infrastructure. However, it is often used for user-facing functions like homepages and customer support.
If a small or new project without a solid technical team is compromised, security breaches might go undetected. Infected WordPress accounts can collect user information for future fraud or directly guide customers to fraud attacks.
How to Protect Yourself
Fortunately, Patchstack quickly released a patch for this issue. But over 10% of Post SMTP users have not installed the patch. This means approximately 40,000 websites remain exploitable, representing a significant security risk.
Smart cryptocurrency users should stay calm and implement standard security measures. Don't trust random email links, stick to reliable projects, use hardware wallets, etc. The greatest responsibility lies with website operators.
If a small cryptocurrency project runs a WordPress site without downloading Patchstack's patch, hackers could use it to execute an endless list of frauds. In summary, cryptocurrency users should remain safe as long as they are cautious with non-official projects.
