Pierluigi Paganini April 15, 2019

Thousands of WordPress sites using the Yellow Pencil Plugin were exposed to hacking due to a privilege escalation vulnerability in the plugin.

A privilege escalation vulnerability in the Yellow Pencil Visual Theme Customizer plugin exposes WordPress websites to hack. The flaw could be exploited by attackers to update arbitrary options on vulnerable installations.

Early this week, the plugin was removed from the WordPress.org repository. it has been estimated that the plugin is installed on over 30,000 websites.

Experts at security firm Wordfence observed a high volume of attempts to exploit the vulnerability after a security researcher publicly disclosed this week proof of concept (POC) for a set of two software vulnerabilities affecting the plugin.

“On Tuesday a security researcher made the irresponsible and dangerous decision to publish a blog post including a proof of concept (POC) detailing how to exploit a set of two software vulnerabilities present in the plugin.” reads the blog post published by Wordfence.

“We are seeing a high volume of attempts to exploit this vulnerability. The exploits very closely resemble the POC posted by the irresponsible researcher.”

The experts said the privilege-escalation vulnerability exists in the yellow-pencil.php file. The file is used to check if the request parameter yp_remote_get has been set, and if it has, the plugin escalates the users’ privileges to that of an administrator.

An unauthenticated user could operate with admin privileges, for example, he could change arbitrary options.

Experts found similarities with other campaigns recently observed by the security experts, like the attacks that attempted to exploit vulnerabilities
the Social Warfare, Easy WP SMTP and Yuzo Related Posts plugins.

“We’re again seeing commonalities between these exploit attempts and attacks on recently discovered vulnerabilities in the Social Warfare, Easy WP SMTP and Yuzo Related Posts plugins.” continues the analysis. “Exploits so far are using a malicious script hosted on a domain, hellofromhony[.]com , which resolves to 176.123.9[.]53. That IP address was used in the other attacks mentioned. We are confident that all four attack campaigns are the work of the same threat actor.”

The developers of the Yellow Pencil Visual Theme Customizer WordPress plugin have already patched the flaw.

“As continues to be the case, a disgruntled security researcher continues to put the WordPress community at risk by publicly disclosing POCs for zero-day vulnerabilities.” concludes Wordfence.

“Site owners running the Yellow Pencil Visual Theme Customizer plugin are urged to remove it from their sites immediately.”

Update August 28, 2023

The current version of the plugin no longer contains such a security vulnerability, it has been updated, is actively available on WordPress.org, and boasts around 50,000 active users.

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)