April 15, 2019 by Agnes Talalaev
On April 10th many people on WordPress.org support forums were warning others about the Yuzo Related Post plugin to be the plugin blame why their website is hacked. At this time, Yuzo Related Post plugin had approx. 60,000 active installations worldwide.
The whole situation resonated in WebARX firewall logs as our main rule-set started to block the exploitation attempts on the same day.
The Yuzo Related Posts plugin was removed from the WordPress plugin store on March 30th, 2019. after a zero-day vulnerability was publicly, and irresponsibly, disclosed by a security researcher on the same day. (source)
It was also said that the attacks were carried out by the same threat actors that targeted WordPress installs using the Social Warfare and Easy WP SMTP plugins.
The Plugin author Lenin Zapata provided the following suggestion to halt the attack:
Soon I will send an improved version of Yuzo for all users. (source)
On Monday The Yellow Pencil Visual Theme Customizer plugin was removed from the WordPress.org repository. The removal was made because of a privilege escalation bug which would have allowed potential attackers to update arbitrary options on vulnerable installations.
The attacks started because a security researcher “made the irresponsible and dangerous decision to publish a blog post including a proof of concept (POC) detailing how to exploit a set of two software vulnerabilities present in the plugin” – after which the exploits began, Wordfence researchers said. (source)
The Wordfence team also said that the latest happenings are a part of a larger campaign. You can read about that here: Yellow Pencil attacks part of a larger campaign.
About the vulnerability:
One of the two flaws in the plugin is a privilege-escalation vulnerability that exists in its yellow-pencil.php file. This file has a function that checks if a specific request parameter (yp_remote_get) has been set – and if it has, the plugin promptly escalates the users’ privileges to that of an administrator.
That means that any unauthenticated user could perform site admin actions, like changing arbitrary options or more.
The second flaw is “a cross-site request forgery (CSRF) check is missing in the function below that would have made it much more difficult to exploit”. (source)
All users are advised to update the plugin to the latest version 7.2.0. The latest release is the safe version, and all older versions are currently at risk. (source)
WebARX users have been safe from both of the vulnerabilities from the beginning.