{"id":92741,"date":"2019-06-17T17:03:16","date_gmt":"2019-06-17T21:03:16","guid":{"rendered":"http:\/\/rbach.net\/index.php\/"},"modified":"2022-10-16T15:50:06","modified_gmt":"2022-10-16T19:50:06","slug":"do-you-yuzo","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/do-you-yuzo\/","title":{"rendered":"Is Yuzo on Your WordPress site?"},"content":{"rendered":"

\"Do<\/a>I am still busy unpacking and re-arranging the furniture at the new home of Bach Seat<\/a>. One of the nicer things about my new host is that I can now get WordPress alerts<\/strong>. And I have been getting a ton of alerts from the firewall that it blocked \u201cyuzo-related\u201d attack attempts<\/strong>. So I decided to see WTF \u201cyuzo-related\u201d attack attempts were about and found an excellent explanation<\/a> on the WordFence<\/a><\/em> site.<\/p>\n

60,000 WordPress websites<\/h3>\n

\"UnpatchedDan Moen at WordFence<\/em> explains that the Yuzo Related Posts (YRP) plugin for WordPress has an unpatched vulnerability<\/strong> that was publicly disclosed by a security researcher on March 30, 2019. The flaw which allows stored cross-site scripting<\/strong><\/a> (XSS), is now being exploited in the wild. The buggy plugin is installed on over 60,000 websites<\/strong> and has been removed from the WordPress.org<\/a> plugin directory.<\/p>\n

WordFence<\/em> recommends that all users remove the plugin from their sites immediately.<\/strong><\/p>\n

The blog’s author writes that the vulnerability in YRP stems from missing authentication checks<\/strong> in the plugin routines responsible for storing settings in the database. The code below is the crux of the problem. There is more in-depth coding tech-talk at WordFence.<\/em><\/p>\n

8 }elseif( is_admin() ){ \/\/ only admin<\/pre>\n
He says developers often mistakenly use is_admin() to check if a piece of code that requires administrative privileges<\/strong> should be run, but as the WordPress documentation<\/a> points out, that isn\u2019t how the function should be used.<\/p>\n
Injects malicious JavaScript<\/h3>\n
\"System<\/a>The result is that an unauthenticated attacker can inject malicious content<\/strong>, such as a JavaScript payload<\/strong>, into the plugin settings. That payload is then inserted into HTML templates and executed by the web browser<\/strong> when users visit the compromised website. This security issue could be used to deface websites<\/strong>, redirect visitors<\/strong> to unsafe websites, or compromise<\/strong> WordPress administrator accounts<\/strong>, among other things.<\/p>\n
As evidenced by the number of probes against my site, threat actors have begun exploiting sites with YRP installed. The exploits in the wild inject<\/strong> malicious JavaScript<\/a><\/strong>. When a visitor lands on a compromised website containing the malicious payload, they will be redirected to malicious tech support scam pages – like this example:<\/p>\n
\"Fake<\/a>The WordFence<\/em> analysis shows that the attempts to exploit this vulnerability in YRP share a number of commonalities with attacks on two other vulnerabilities discovered in other plugins: Social Warfare<\/a> and Easy WP SMTP<\/a>.<\/p>\n
The security researchers found all three campaigns so far have used these exploits:<\/p>\n