Wordpress security

The Week of Yuzo and YellowPencil Plugin Vulnerabilities

Updated: June 11, 2020 by Agnes Talalaev

In this blog post we analyze two WordPress vulnerabilities in Yuzo and YellowPencil plugin.

Yuzo Related Post

On April 10th many people on WordPress.org support forums were warning others about the Yuzo Related Post plugin to be the plugin blame why their website is hacked. At this time, Yuzo Related Post plugin had approx. 60,000 active installations worldwide.

The whole situation resonated in WebARX firewall logs as our main rule-set started to block the exploitation attempts on the same day.

yellowpencil plugin

Vulnerability details:

  • Vulnerability: Privilege escalation (unauthorized plugin settings update).
  • Exploit in wild vector: Stored cross-site scripting redirecting users to scam ads and malware.

The Yuzo Related Posts plugin was removed from the WordPress plugin store on March 30th, 2019. after a zero-day vulnerability was publicly, and irresponsibly, disclosed by a security researcher on the same day. (source)

It was also said that the attacks were carried out by the same threat actors that targeted WordPress installs using the Social Warfare and Easy WP SMTP plugins.

Are your sites protected from such vulnerabilities?

Protect your sites now
website firewall webarx website security

The Plugin author Lenin Zapata provided the following suggestion to halt the attack:

  • Remove / Uninstall the plugin immediately.
  • Within your database go to the wp_options table and look for the value yuzo_related_post_options delete that record.
  • Do not delete the table of visits wp_yuzoviews, this does not influence the problem.

Soon I will send an improved version of Yuzo for all users. (source)

YellowPencil Visual CSS Style Editor

On Monday The YellowPencil plugin was removed from the WordPress.org repository. The removal was made because of a privilege escalation bug which would have allowed potential attackers to update arbitrary options on vulnerable installations.

The attacks started because a security researcher “made the irresponsible and dangerous decision to publish a blog post including a proof of concept (POC) detailing how to exploit a set of two software vulnerabilities present in the plugin” – after which the exploits began, Wordfence researchers said. (source)

The Wordfence team also said that the latest happenings are a part of a larger campaign. You can read about that here: Yellow Pencil attacks part of a larger campaign.

YellowPencil plugin has an active install base of more than 30,000 websites.

About the vulnerability:

  • Vulnerability: Privilege escalation (unauthorized WordPress settings update).
  • Exploit in wild vector: Stored cross-site scripting redirecting users to scam ads and malware.

One of the two flaws in the plugin is a privilege-escalation vulnerability that exists in its yellow-pencil.php file. This file has a function that checks if a specific request parameter (yp_remote_get) has been set – and if it has, the plugin promptly escalates the users’ privileges to that of an administrator.

That means that any unauthenticated user could perform site admin actions, like changing arbitrary options or more.

The second flaw is “a cross-site request forgery (CSRF) check is missing in the function below that would have made it much more difficult to exploit”. (source)

All users are advised to update the plugin to the latest version 7.2.0. The latest release is the safe version, and all older versions are currently at risk.

WebARX users have been safe from both of the vulnerabilities from the beginning.

Make sure your site is safe from such vulnerabilities.

Try webarx for free
Wordpress security

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms: