WordPress Yellow Pencil Plugin Flaws Actively Exploited

Wordpress plugin vulnerability

Yet another Wordpress plugin, Yellow Pencil Visual Theme Customizer, is being exploited in the wild after two software vulnerabilities were discovered.

The maker of a WordPress plugin, Yellow Pencil Visual Theme Customizer,  is asking all users to immediately update after it was discovered to have software vulnerabilities that are being actively exploited.

The attacker exploiting these flaws has been behind several other recent plugin attacks these past few weeks, researchers said.

A visual-design plugin which allows users to style their websites, Yellow Pencil has an active install base of more than 30,000 websites. However, the plugin was discovered to have two software vulnerabilities which are now under active exploit.

In a security update on its website, Yellow Pencil urged users to update to the latest version of the plugin, 7.2.0, as soon as possible: “If your website does not redirect to malware website, your website is not hacked but you must update the plugin quickly to the latest version for keeping your website safe. 7.2.0 version is safe and all older versions is under risk now.”

According to WordPress, the plugin was removed from the plugin repository on Monday and is no longer available for download. A security researcher then “made the irresponsible and dangerous decision to publish a blog post including a proof of concept (POC) detailing how to exploit a set of two software vulnerabilities present in the plugin” – after which the exploits began, Wordfence researchers said.

“We are seeing a high volume of attempts to exploit this vulnerability,” researchers with Wordfence said in a Thursday post outlining the exploits. “Site owners running the Yellow Pencil Visual Theme Customizer plugin are urged to remove it from their sites immediately.”

Researchers said that one of the two flaws in the plugin is a privilege-escalation vulnerability that exists in its yellow-pencil.php file. This file has a function that checks if a specific request parameter (yp_remote_get) has been set – and if it has, the plugin promptly escalates the users’ privileges to that of an administrator.

wordpress plugin exploit

That means that any unauthenticated user could perform site admin actions, like changing arbitrary options or more.

The second flaw is “a cross-site request forgery (CSRF) check is missing in the function below that would have made it much more difficult to exploit,” researchers said.

Yellow Pencil did not respond to a request for further comment from Threatpost.

Researchers with Wordfence said they are “confident” that the plugin is being exploited by the same threat actor who has exploited other plugins – including Social Warfare and Easy WP SMTP, as well as Yuzo Related Posts, which was also discovered being exploited this week.

That’s because the IP address of the domain hosting the malicious script in the attacks is the same for the exploits in the other attacks, they said.

“We’re again seeing commonalities between these exploit attempts and attacks on recently discovered vulnerabilities in the Social Warfare, Easy WP SMTP and Yuzo Related Posts plugins,” they said.  “We are confident that all four attack campaigns are the work of the same threat actor.”

Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.

A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.

Suggested articles

Discussion

  • Plugin Vulnerabilities on

    We are the service provider mentioned in your post, though incorrectly referred to as a "security researcher", our name is Plugin Vulnerabilities. We monitor the closure of popular WordPress plugins as that can indicate there is a security vulnerability in them that caused the removal and then if we find any, we warn our customers since that is what they pay us to do, as well as the public at large. By comparison the company you are mentioning only warns people after the vulnerabilities have been widely exploited, which obviously doesn't do people much good. Maybe it would be better to cite the original source, instead of a company that looks to be interested in leaving people vulnerable to being hacked instead of letting people take action before they can be exploited.
  • Sunny Kumar on

    No plugins are safe nowadays. First Social Warfare and Now This :/
  • Jay on

    Our site was hacked using this exploit. We removed the Malware and deactivated Yellow Pencil, even though it is updated to version 7.2.0 now. I am hesitant to keep this plug in on our site but need a replacement. Does anyone have any suggestions?
  • Orhangok_ulk on

    I enjoyed this plug-in very much. But the security weakness had made my website hacked twice and I GOT A SEO PENALTY ON GOOGLE. It is said they cleaned it with running an update, but I don't know how to trust coding even after envato sent mails to users. I am just sorry about this security breach but I'm moving to CSS Hero or Themeover.

Leave A Reply to Plugin Vulnerabilities Cancel Reply

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.