Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Zero-Day Vulnerability in Yellow Pencil Visual Theme Customizer Exploited in the Wild

This entry was posted in Vulnerabilities, WordPress Security on April 11, 2019 by James   5 Replies

On Monday the WordPress plugin Yellow Pencil Visual Theme Customizer was closed in the WordPress.org plugin repository. The plugin is quite popular, with an active install base of over 30,000 websites. On Tuesday a security researcher made the irresponsible and dangerous decision to publish a blog post including a proof of concept (POC) detailing how to exploit a set of two software vulnerabilities present in the plugin.

We are seeing a high volume of attempts to exploit this vulnerability. The exploits very closely resemble the POC posted by the irresponsible researcher.

We deployed a firewall rule to protect against these attacks yesterday, which our Premium customers have now received. All site owners are urged to remove the plugin from their sites immediately.

Privilege Escalation Enables Arbitrary Options Updates

The first flaw that enables this attack is present in the yellow-pencil.php file within the plugin. The yp_remote_get_first() function is called on every page load and checks if a specific request parameter (yp_remote_get) has been set. If it has, the plugin escalates privileges to that of an administrator for the remainder of the request.

function yp_remote_get_first(){
     if(isset($_GET["yp_remote_get"])){
         wp_set_current_user(1);
         show_admin_bar(false);
     }
 }

This privilege escalation makes any user capabilities checks later in the plugin moot. As a result, unauthenticated users can perform actions, such as change arbitrary options, that were only meant for site administrators. A cross-site request forgery (CSRF) check is missing in the function below that would have made it much more difficult to exploit.

function yp_option_update(){

     // Can?
     if(current_user_can("edit_theme_options") == true){
 
         // Import the data
         if(isset($_POST['yp_json_import_data'])){
 
             $data = trim( strip_tags ( $_POST['yp_json_import_data'] ) );
 
             if(empty($data) == false){
 
                 yp_import_data($data);

Familiar Threat Actor Strikes Again

We’re again seeing commonalities between these exploit attempts and attacks on recently discovered vulnerabilities in the Social Warfare, Easy WP SMTP and Yuzo Related Posts plugins. Exploits so far are using a malicious script hosted on a domain, hellofromhony[.]com , which resolves to 176.123.9[.]53. That IP address was used in the other attacks mentioned. We are confident that all four attack campaigns are the work of the same threat actor.

Conclusion

As continues to be the case, a disgruntled security researcher continues to put the WordPress community at risk by publicly disclosing POCs for zero-day vulnerabilities. In this environment we strongly recommend staying on top of WordPress security news and considering an upgrade to Wordfence Premium.

Site owners running the Yellow Pencil Visual Theme Customizer plugin are urged to remove it from their sites immediately. Wordfence Premium customers received an updated firewall rule to protect against this vulnerability yesterday. Free users will receive it 30 days later.

Did you enjoy this post? Share it!

5 Comments on "Zero-Day Vulnerability in Yellow Pencil Visual Theme Customizer Exploited in the Wild"

Lanumi1753 April 11, 2019 at 2:42 pm • Reply

Thank you for this blog. I do not have this plugin, but have the problem on my https://lanupitan.com website. Is there any other help on how to get rid of it.

Kathy Zant April 12, 2019 at 10:51 am • Reply

If you have a similar issue on your site and you're not using Yellow Pencil Visual Theme Customizer, you might have another vulnerability on your site. I'd recommend having someone look at the actual redirect, review recent log files, and determine what may have happened. If you're unsure, you can leverage our site cleaning team who can assist. https://www.wordfence.com/wordfence-site-cleanings/ You can also review this guide to help you clean your hacked site. https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

shikhar April 11, 2019 at 10:02 pm • Reply

Please help in resolving this issue as my website is getting redirected and i am not sure if i remove yellow pencil my CSS will stay.

Kathy Zant April 12, 2019 at 10:48 am • Reply

If your website is currently being redirected, the vulnerability on your site has likely been exploited. We recommend restoring from a recent backup and removing the affected plugins, following this guide to clean your hacked site https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/, or reaching out to our security services team for assistance. https://www.wordfence.com/wordfence-site-cleanings/ There are other ways of applying CSS to your WordPress site beyond a plugin. https://www.wpbeginner.com/plugins/how-to-easily-add-custom-css-to-your-wordpress-site/

Ben H April 12, 2019 at 8:54 am • Reply

One of my sites was struck by this two days ago. To get back to full functionality, I had to restore to a prior version of the database. That is, changes to files were not sufficient to undo the redirects that had been inserted. I just wanted to leave this note in case it helps others solve similar issues in the future.

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 100 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates

Leave a Reply

All comments are moderated before being published. Inappropriate or off-topic comments may not be approved.