Zero-day in popular Yuzo Related Posts WordPress Plugin exploited in the wild

According to experts a vulnerability in the popular WordPress plugin Yuzo Related Posts is exploited by attackers to redirect users to malicious sites.

The XSS flaw allows attackers to inject a JavaScript into the sites that redirect visitors to websites displaying scams, including tech support scams, and sites promoting unwanted software.

The Yuzo Related Posts plugin was removed from the WordPress plugin store on March 30th, 2019. after a zero-day vulnerability was publicly, and irresponsibly, disclosed by a security researcher the same day. 

The Yuzo Related Posts plugin is currently installed on over 60,000 websites worldwide that at the time of writing are yet to be notified.

Many users reported that threat actors in the wild have recently started exploiting the vulnerability, they noticed that their websites were redirecting users to unwanted sites.

According to security experts at WordFence, the vulnerability in Yuzo plugin stems from missing authentication checks in the plugin routines used to store settings in the database.

“The vulnerability in Yuzo Related Posts stems from missing authentication checks in the plugin routines responsible for storing settings in the database.” reads the blog post published by WordFence.

The Plugin author Lenin Zapata provided the following suggestion to halt the attack:

• Remove / Uninstall the plugin immediately.
• Within your database go to the wp_options table and look for the value yuzo_related_post_options delete that record.
• Do not delete the table of visits wp_yuzoviews, this does not influence the problem.

Soon I will send an improved version of Yuzo for all users.

An attacker could inject an obfuscated JavaScript script in the yuzo_related_post_options value of the wp_options table.

Once deobfuscated, the script will create a new script tag with a source of https://hellofromhony[.]org/counter, which will be injected into the head of the page. When a user visits a compromised website will be redirected to malicious websites, such as tech support scam pages. 

WordFence researchers believe that the attacks were carried out by the same threat actors that targeted WordPress installs using the Social Warfare and Easy WP SMTP plugins.

The exploits against the above pluging have used a malicious script hosted on the domain hellofromhony[.]org, which resolves to 176.123.9[.]53, that is same IP address involved in the Social Warfare and Easy WP SMTP campaigns. All three campaigns leverage stored XSS injection vulnerabilities and have deployed malicious redirects.

“Cases like this underscore the importance of a layered security approach which includes a WordPress firewall.” concludes WordFence

“Site owners running the Yuzo Related Posts plugin are urged to remove it from their sites immediately, at least until a fix has been published by the author.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – WordPress, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]