Zero-Day Vulnerability in Yellow Pencil Visual Theme Customizer Exploited in the Wild

On Monday the WordPress plugin Yellow Pencil Visual Theme Customizer was closed in the WordPress.org plugin repository. The plugin is quite popular, with an active install base of over 30,000 websites. On Tuesday a security researcher made the irresponsible and dangerous decision to publish a blog post including a proof of concept (POC) detailing how to exploit a set of two software vulnerabilities present in the plugin.

We are seeing a high volume of attempts to exploit this vulnerability. The exploits very closely resemble the POC posted by the irresponsible researcher.

We deployed a firewall rule to protect against these attacks yesterday, which our Premium customers have now received. All site owners are urged to remove the plugin from their sites immediately.

Privilege Escalation Enables Arbitrary Options Updates

The first flaw that enables this attack is present in the yellow-pencil.php file within the plugin. The yp_remote_get_first() function is called on every page load and checks if a specific request parameter (yp_remote_get) has been set. If it has, the plugin escalates privileges to that of an administrator for the remainder of the request.

function yp_remote_get_first(){
     if(isset($_GET["yp_remote_get"])){
         wp_set_current_user(1);
         show_admin_bar(false);
     }
 }

This privilege escalation makes any user capabilities checks later in the plugin moot. As a result, unauthenticated users can perform actions, such as change arbitrary options, that were only meant for site administrators. A cross-site request forgery (CSRF) check is missing in the function below that would have made it much more difficult to exploit.

function yp_option_update(){

     // Can?
     if(current_user_can("edit_theme_options") == true){
 
         // Import the data
         if(isset($_POST['yp_json_import_data'])){
 
             $data = trim( strip_tags ( $_POST['yp_json_import_data'] ) );
 
             if(empty($data) == false){
 
                 yp_import_data($data);

Familiar Threat Actor Strikes Again

We’re again seeing commonalities between these exploit attempts and attacks on recently discovered vulnerabilities in the Social Warfare, Easy WP SMTP and Yuzo Related Posts plugins. Exploits so far are using a malicious script hosted on a domain, hellofromhony[.]com , which resolves to 176.123.9[.]53. That IP address was used in the other attacks mentioned. We are confident that all four attack campaigns are the work of the same threat actor.

Conclusion

As continues to be the case, a disgruntled security researcher continues to put the WordPress community at risk by publicly disclosing POCs for zero-day vulnerabilities. In this environment we strongly recommend staying on top of WordPress security news and considering an upgrade to Wordfence Premium.

Site owners running the Yellow Pencil Visual Theme Customizer plugin are urged to remove it from their sites immediately. Wordfence Premium customers received an updated firewall rule to protect against this vulnerability yesterday. Free users will receive it 30 days later.

Did you enjoy this post? Share it!

Comments

10 Comments
  • Thank you for this blog. I do not have this plugin, but have the problem on my https://lanupitan.com website. Is there any other help on how to get rid of it.

    • If you have a similar issue on your site and you're not using Yellow Pencil Visual Theme Customizer, you might have another vulnerability on your site. I'd recommend having someone look at the actual redirect, review recent log files, and determine what may have happened. If you're unsure, you can leverage our site cleaning team who can assist. https://www.wordfence.com/wordfence-site-cleanings/ You can also review this guide to help you clean your hacked site. https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

  • Please help in resolving this issue as my website is getting redirected and i am not sure if i remove yellow pencil my CSS will stay.

    • If your website is currently being redirected, the vulnerability on your site has likely been exploited. We recommend restoring from a recent backup and removing the affected plugins, following this guide to clean your hacked site https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/, or reaching out to our security services team for assistance. https://www.wordfence.com/wordfence-site-cleanings/ There are other ways of applying CSS to your WordPress site beyond a plugin. https://www.wpbeginner.com/plugins/how-to-easily-add-custom-css-to-your-wordpress-site/

  • One of my sites was struck by this two days ago. To get back to full functionality, I had to restore to a prior version of the database. That is, changes to files were not sufficient to undo the redirects that had been inserted. I just wanted to leave this note in case it helps others solve similar issues in the future.

    • Please note, you can use phpmyadmin to access db and change sitename, siteurl back to normal and wp dashboard will be accessible for further urgent copy of code/files.

    • That's because it will either change the site/home URL string in wp_options or add serialized data containing javascript in wp_options, or both, but either will cause the redirect to persist even after replacing all core files. Good troubleshooting and planning by having a backup handy :)

    • In many cases the redirect is due to the siteurl and home values being changed in wp_options (or whatever your table prefix is). There are some other plugins where this can be compromised too, such as the yuzo related posts plugin.

  • For the people who have been hacked due to a vulnerability in this plugin you can fix it by doing the following:

    1. Log into your Wordpress database with phpMyAdmin through your hosting control panel.

    2. Navigate to the table wordpress_options table

    3. Edit the first two rows “siteurl” and “home” back to your domain e.g. https://website.com

    4. Click on your database name in the left panel of phpMyAdmin and then click the Search button along the top bar and search all of your tables for the name of the malicious domain that your website was redirecting to with ‘ ’ either side e.g. %baddomain to find any remaining records.

  • 7.2.1 > Extra Security: Added nonce (token) for all action.
    https://wordpress.org/plugins/yellow-pencil-visual-theme-customizer/#developers