Home Articles How Hackers Exploited the Yuzo WordPress Plugin

How Hackers Exploited the Yuzo WordPress Plugin

140
0

Recently, a vulnerability in WordPress plugin ‘Yuzo related posts’ was been exploited by the hackers. Read on to know more about it…

Recently, a vulnerability in WordPress plugin ‘Yuzo related posts’ was been exploited by the hackers to inject JavaScript and redirect users to scam pages. This JavaScript caused the web visitors to be redirected to websites displaying scams, including tech support scams, and sites promoting unwanted software such as browser extensions.

On March 30th, 2019, the developer of Yuzo Related Posts removed the plugin from the WordPress plugin directory after a WordPress security company publicly disclosed the vulnerability. One of the reason why this vulnerability needs to be addressed is — this WordPress plugin has over 60,000 installations and the users have not been notified about the vulnerability.

Investigation
A security researcher at Defiant, Dan Moen noted that missing authentication checks allowed attackers to modify the yuzo_related_post_options value in order to inject the script.

“Developers often mistakenly use is_admin() to check if a piece of code that requires administrative privileges should be run, but as the WordPress documentation points out, that isn’t how the function should be used. In this scenario self::_ini_() is called on any request to an administrative interface page, including /wp-admin/options-general.php and /wp-admin/admin-post.php, which allows a POST request to those pages to be processed by self::save_options(); later in the code,” Moen wrote in a blog.

Modus Operandi
This script created a new script tag with source ‘https://hellofromhony[.]org/counter’, and the script was injected into the head of the page. Once injected, this script redirected  the users to several websites before landing them in a scam page. This scam page was kind of unwanted extension page or a survey, spin-the-wheel type scam page, or any tech support scam page.

According to Dan Moen, who wrote about this vulnerability, missing authentication checks allowed attackers to modify the yuzo_related_post_options value in order to inject the script. This is being done through the improper use of the is_admin function, which is used to determine if a user is in the administrator section of a WordPress site rather than commonly misused way of checking if a user is an admin.

“Developers often mistakenly use is_admin() to check if a piece of code that requires administrative privileges should be run, but as the WordPress documentation points out, that isn’t how the function should be used. In this scenario self::_ini_() is called on any request to an administrative interface page, including /wp-admin/options-general.php and /wp-admin/admin-post.php, which allows a POST request to those pages to be processed by self::save_options(); later in the code.”

Damage Control
The developer of Yuzo who goes under the name ‘iLen’ stated that they are working on fixing the vulnerability and anyone using the plugin should uninstall it until a new version is released. “A bad person found a bug in Uuzo and this was what caused the redirection. It’s from the plugin and if I’m working on it,” the Yuzo developer told BleepingComputer. However, the developer removed the plugin from the WordPress plugin directory on March 30, 2019, after the researchers at Pluginvulnerabilities.com publicly disclosed the vulnerability.

Site owners running the Yuzo Related Posts plugin are urged to remove it from their sites immediately, at least until a fix has been published by the author.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

54 − = 51