Sometimes when an organization dutifully shuts down a plugin due to cybersecurity concerns it merely acts as a signal flare to attract malicious actors to a possible attack vector and that seems to be what happened with the WordPress plugin Yuzo Related Posts.
WordPress shut down Yuzo Related Posts, which has 60,000 installs, on March 30 due to several bugs, but specifically an unauthenticated cross-site scripting vulnerability zero day that was publicly disclosed that day for which there was no patch. Wordfence’s Dan Moen expressed his displeasure with how the unnamed researcher dumped the vulnerability.
“The Yuzo Related Posts plugin, which is installed on over 60,000 websites, was removed from the WordPress.org plugin directory on March 30, 2019 after an unpatched vulnerability was publicly, and irresponsibly, disclosed by a security researcher that same day,” he wrote.
The Wordfence team followed up with a strong recommendation that users uninstall the plugin adding that the vulnerability is being exploited in the wild. It also pointed out that the Wordfence firewall is able to protect users against the XSS attacks it has spotted so far, but additional issues are expected to arise and a fix for those will be available to Premium users immediately and in 30 days for those using the software for free.
“The vulnerability in Yuzo Related Posts stems from missing authentication checks in the plugin routines responsible for storing settings in the database. The code below from assets/ilenframework/core.php is the crux of the problem,” Wordfence reported on April 10.
Sucuri analysts said that within days sites using the plugin were reporting attacks.
“Today, on April 10, 2019, we see many posts on WordPress support forum related to hacks of websites that use the plugin,” Sucuri posted.
One of the bigger names that has fallen victim to Yuzo is the email automation service Mailgun.
While disclosing flaws is a normal occurrence, it is imperative that those with knowledge of these vulnerabilities do so properly.
“Proper, responsible vulnerability disclosures are something that should be carried with the utmost of care. The failure to do so can have widespread and serious repercussions. In this case, it was unfortunate that the zero-day was released to the public instead of the plugin author. If the author had been alerted with the vulnerability’s proof of concept, things would have played out completely differently.” Said Oscar Tovar, application security specialist at WhiteHat Security.
Yuzo Related Posts is the third WordPress plugin to make the news in the several weeks. Last week a critical SQL injection/ PHP Object Injection vulnerability in Duplicate-Page’s WordPress Plugin was disclosed. In mid-March it was reported that hackers were continuing to abuse the recently patched zero-day vulnerability in the WordPress plugin Easy WP SMTP that if exploited can give attackers administrative control of a site.