I am still busy unpacking and re-arranging the furniture at the new home of Bach Seat. One of the nicer things about my new host is that I can now get WordPress alerts. And I have been getting a ton of alerts from the firewall that it blocked “yuzo-related” attack attempts. So I decided to see WTF “yuzo-related” attack attempts were about and found an excellent explanation on the WordFence site.
60,000 WordPress websites
Dan Moen at WordFence explains that the Yuzo Related Posts (YRP) plugin for WordPress has an unpatched vulnerability that was publicly disclosed by a security researcher on March 30, 2019. The flaw which allows stored cross-site scripting (XSS), is now being exploited in the wild. The buggy plugin is installed on over 60,000 websites and has been removed from the WordPress.org plugin directory.
WordFence recommends that all users remove the plugin from their sites immediately.
The blog’s author writes that the vulnerability in YRP stems from missing authentication checks in the plugin routines responsible for storing settings in the database. The code below is the crux of the problem. There is more in-depth coding tech-talk at WordFence.
8 }elseif( is_admin() ){ // only admin
He says developers often mistakenly use is_admin() to check if a piece of code that requires administrative privileges should be run, but as the WordPress documentation points out, that isn’t how the function should be used.
Injects malicious JavaScript
The result is that an unauthenticated attacker can inject malicious content, such as a JavaScript payload, into the plugin settings. That payload is then inserted into HTML templates and executed by the web browser when users visit the compromised website. This security issue could be used to deface websites, redirect visitors to unsafe websites, or compromise WordPress administrator accounts, among other things.
As evidenced by the number of probes against my site, threat actors have begun exploiting sites with YRP installed. The exploits in the wild inject malicious JavaScript. When a visitor lands on a compromised website containing the malicious payload, they will be redirected to malicious tech support scam pages – like this example:
The WordFence analysis shows that the attempts to exploit this vulnerability in YRP share a number of commonalities with attacks on two other vulnerabilities discovered in other plugins: Social Warfare and Easy WP SMTP.
The security researchers found all three campaigns so far have used these exploits:
- A malicious script hosted on hellofromhony[.]org, which resolves to 176.123.9[.]53.
- Involved exploitation of stored XSS injection vulnerabilities and have deployed malicious redirects.
WordFence is confident that the tactics, techniques and procedures in all three attacks point to a common threat actor.
WordFence recommends WordPress Site owners running the Yuzo Related Posts remove it from their sites immediately, at least until a fix has been published by the author.
rb-
What to do?
-
Keep your WordPress and plugins up to date.- Do you really need Yuzo Related Posts? Here is a list of alternatives from WordPress.
- Make sure you have good backups of your WordPress site – and you can restore it.
- Get a firewall on your WordPress site
- Block the IP 176.123.9[.]53. From your site.
- Harden your WordPress site.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.