WordPress <\/p>\n
A critical vulnerability in a popular WordPress plugin can allow hackers to hijack user-facing crypto websites. This vulnerability potentially creates opportunities for malicious actors to inject phishing pages, fake wallet links, and malicious redirects.\u00a0<\/strong><\/p>\n While this flaw doesn\u2019t affect wallet backends or token contracts, it exposes the front-end infrastructure that users rely on to safely interact with crypto services. Although the plugin has since been patched, tens of thousands of sites remain unprotected, running outdated versions.\u00a0<\/p>\n Crypto crimes are through the roof right now, and many unexpected vectors can\u00a0yield new scam attacks. For example<\/span>, a recent report from Patchstack, a digital security firm, reveals a new WordPress exploit that could potentially enable new crypto scams.<\/p>\n \u201cThe plugin\u00a0Post SMTP, which has over 400,000 installations, is an email delivery plugin. In versions\u00a03.2.0\u00a0and below, the plugin is vulnerable to multiple Broken Access Control vulnerabilities in its REST API endpoints\u2026allowing any registered user (including Subscriber-level users who should have no privileges at all) to perform a variety of actions,\u201d it claimed.<\/p>\n<\/blockquote>\n These functions included: viewing email count statistics, resending emails, and viewing detailed email logs, including the entire email body. <\/p>\n A WordPress hacker could use this vulnerability to intercept password reset emails, potentially gaining control of administrator accounts.<\/p>\n So, how could this WordPress vulnerability lead to crypto scams? Unfortunately, the possibilities are practically endless. Fake customer support emails have been instrumental in many recent phishing attempts, so limited email control is already dangerous. <\/p>\n A compromised site using WordPress could insert fake tokens and scam websites into external links using malicious scripts and redirects.<\/p>\n Hackers could harvest passwords and attempt to use them on a list of exchanges. They could even inject malware into every user who opens a certain page.<\/p>\n On the surface, most crypto wallets and token platforms don\u2019t use WordPress for their core infrastructure. However, it\u2019s often used for user-end functions like homepages and customer support. <\/p>\n If a small or new project without a solid engineering team gets compromised, security breaches could go unnoticed. Infected WordPress accounts could gather user information for future scams or outright direct customers to phishing attempts.<\/p>\n Luckily, Patchstack quickly released a fix for this particular bug. But more than 10% of Post SMTP users, haven\u2019t installed it. That means around 40,000 websites are vulnerable to exploitation, representing a huge security risk.<\/p>\n Savvy crypto users should remain calm and exercise standard security practices. Don\u2019t trust random email links, stick with trusted projects, use hardware wallets, etc. The biggest responsibility is on the site operators themselves. <\/p>\n If a small crypto project runs a WordPress site without downloading Patchstack\u2019s bug fix, hackers could use it to power an endless list of scams. In short, crypto users should be safe as long as they exercise caution with non-mainstream projects.<\/p>\n Disclaimer<\/p>\n In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our\u00a0Terms and Conditions,\u00a0Privacy Policy, and\u00a0Disclaimers\u00a0have been updated.<\/p>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":" WordPress A critical vulnerability in a popular WordPress plugin can allow hackers to hijack user-facing crypto websites. This vulnerability potentially<\/p>\n","protected":false},"author":7282,"featured_media":12536,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1166],"tags":[],"class_list":["post-12535","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-website"],"_links":{"self":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts\/12535","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/users\/7282"}],"replies":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/comments?post=12535"}],"version-history":[{"count":0,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts\/12535\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/media\/12536"}],"wp:attachment":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/media?parent=12535"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/categories?post=12535"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/tags?post=12535"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}A WordPress Plugin\u2019s Scam Potential<\/h2>\n
\n
Many Targets in Crypto<\/h2>\n
Are My Wallets Safe?<\/h2>\n
How to Stay Protected<\/h2>\n