Users Urged to Uninstall WordPress Yuzo Plugin After Flaw Exploited

wordpress plugin zero day

A vulnerability in the Yuzo Related Posts WordPress plugin, used by 60,000 websites, is being exploited in the wild.

UPDATE

Users of the popular Yuzo Related Posts plugin are being urged to uninstall the plugin after a flaw was discovered being exploited in the wild – putting tens of thousands of websites at risk.

Yuzo Related Posts, which enables WordPress websites to display “related posts” segments, is installed on over 60,000 websites. A cross-site scripting flaw was recently disclosed in the plugin that could be used to deface websites, redirect visitors to unsafe websites, or compromise WordPress administrator accounts, and more.

That vulnerability is now being exploited in the wild, warned Dan Moen with Wordfence in a Wednesday post: “The vulnerability, which allows stored cross-site scripting (XSS), is now being exploited in the wild. These attacks appear to be linked to the same threat actor who targeted the recent Social Warfare and Easy WP SMTP vulnerabilities.”

The plugin was removed from the WordPress plugin directory on March 30 after a security researcher publicly and “irresponsibly” disclosed an unpatched vulnerability in the plugin that day, researchers with Wordfence said.

The support team for Yuzo Related Posts told Threatpost that it recommends users un-install the plugin immediately until an update becomes available.  

Automattic, which owns WordPress, did not immediately respond to a request for comment from Threatpost.

Moen said that the flaw stems from missing authentication checks in the plugin. Specifically, the flaw exists in the part of the plugin in charge of storing settings in the database.

That stored cross-site scripting flaw means that an unauthenticated attacker could inject malicious content into the plugin settings. If a bad actor were to inject a JavaScript payload into the settings, the payload would then be inserted into HTML templates – and executed by the web browser when users visit the compromised website, researchers said.

As of Wednesday (11 days after the irresponsible disclosure), researchers discovered that the flaw was being exploited, and websites with the plugin installed were being attacked.

Several companies using the plugin in their WordPress website, such as ManaJournal, said that as a consequence of the exploit their users were being re-directed to malicious websites.

https://twitter.com/manajournal/status/1116354930858778626

Other plugin users took to WordPress.org, an open source project that is separate from WordPress.com, to share their own experiences with the plugin.

One user, who said her website was “sort of hacked because of this plugin,” said: “I regret that the developers did not even take the effort to inform the users about this (with an update stating: no longer safe, or something).”

Researchers linked this most recent attack to a separate WordPress plugin exploit in March: The plugin, Social Warfare was also plagued by a stored cross-site scripting vulnerability that was being exploited in the wild. The incident comes after a separate vulnerability was disclosed and patched in a different WordPress plugin, Easy WP SMTP.  This vulnerability was also under active attack and being exploited by malicious actors to establish administrative control of impacted sites, researchers said.

Third-party plugins continues to be an Achille’s Heel for WordPress security. In fact, according to a January Imperva report, almost all (98 percent) of WordPress vulnerabilities are related to plugins that extend the functionality and features of a website or a blog.

“Vulnerabilities in WordPress plugins has been a long standing problem,” Chris Orr, systems engineer at Tripwire, said in an email. “The plug-in directory is very much like the Google Play store where vetting of apps is a major weakness. Lack of notifications by the plug-in developer is also an issue to contend with. It is recommended that WordPress users either automatically update the platform and their apps or pay close attention to the ones they use and how they behave and keep an eye out for vulnerabilities.”

Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.

A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.

This article was updated on April 12 at 1:46 p.m. to clarify that WordPress.org, erroneously described in a previous version of the article as a “support site” for WordPress.com, is an open source project that is separate from WordPress.com. 

Suggested articles