The maker of a WordPress plugin, Yellow Pencil Visual Theme Customizer, is asking all users to immediately update after it was discovered to have software vulnerabilities that are being actively exploited.
The attacker exploiting these flaws has been behind several other recent plugin attacks these past few weeks, researchers said.
A visual-design plugin which allows users to style their websites, Yellow Pencil has an active install base of more than 30,000 websites. However, the plugin was discovered to have two software vulnerabilities which are now under active exploit.
In a security update on its website, Yellow Pencil urged users to update to the latest version of the plugin, 7.2.0, as soon as possible: “If your website does not redirect to malware website, your website is not hacked but you must update the plugin quickly to the latest version for keeping your website safe. 7.2.0 version is safe and all older versions is under risk now.”
According to WordPress, the plugin was removed from the plugin repository on Monday and is no longer available for download. A security researcher then “made the irresponsible and dangerous decision to publish a blog post including a proof of concept (POC) detailing how to exploit a set of two software vulnerabilities present in the plugin” – after which the exploits began, Wordfence researchers said.
“We are seeing a high volume of attempts to exploit this vulnerability,” researchers with Wordfence said in a Thursday post outlining the exploits. “Site owners running the Yellow Pencil Visual Theme Customizer plugin are urged to remove it from their sites immediately.”
Vulnerabilities
Researchers said that one of the two flaws in the plugin is a privilege-escalation vulnerability that exists in its yellow-pencil.php file. This file has a function that checks if a specific request parameter (yp_remote_get) has been set – and if it has, the plugin promptly escalates the users’ privileges to that of an administrator.
That means that any unauthenticated user could perform site admin actions, like changing arbitrary options or more.
The second flaw is “a cross-site request forgery (CSRF) check is missing in the function below that would have made it much more difficult to exploit,” researchers said.
Yellow Pencil did not respond to a request for further comment from Threatpost.
Plugin Exploit Specialists?
Researchers with Wordfence said they are “confident” that the plugin is being exploited by the same threat actor who has exploited other plugins – including Social Warfare and Easy WP SMTP, as well as Yuzo Related Posts, which was also discovered being exploited this week.
That’s because the IP address of the domain hosting the malicious script in the attacks is the same for the exploits in the other attacks, they said.
“We’re again seeing commonalities between these exploit attempts and attacks on recently discovered vulnerabilities in the Social Warfare, Easy WP SMTP and Yuzo Related Posts plugins,” they said. “We are confident that all four attack campaigns are the work of the same threat actor.”
Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.