Over the last three weeks, a trio of critical zero-day vulnerabilities in WordPress plug-ins has exposed 160,000 Web sites to attacks that allow criminal hackers to redirect unwanted visitors to malicious targets. A self-proclaimed security vendor that publicly announced the bugs before patches became available played a key role in the debacle, although delays by plug-in developers and site administrators also helped in publishing and installing patches.
Zero-day vulnerabilities have been attacked in both the Yuzo-related posts and the WordPress plug-ins of the Visual Visualizer Custom Customizer used by 60,000 and 30,000 websites, respectively. Both plugins were removed from the WordPress plug-in repository at the time the zero posts were published, leaving websites with no choice but to remove the plug-ins. On Friday (three days after the vulnerability was discovered), Yellow Pencil released a patch. At the time of publishing this post, Yuzo Related Posts remained closed without a patch being available.
In-the-Wild exploits against Social Warfare, a plug-in used by 70,000 sites, started three weeks ago. The developers for this plugin quickly fixed the bug, but not before hacking sites that used the plugin.
Fraud and online transplant
All three waves of exploits have resulted in websites using the vulnerable plug-ins directing visitors to sites that promote tech support scams and other forms of online transplantation. In all three cases, exploits occurred after a Web site called Plugin Vulnerabilities published detailed information about the underlying vulnerabilities. The posts contained sufficient code to prove evidence of the exploit and other technical details to facilitate hacking vulnerable sites. In fact, some of the code used for the attacks appeared to have been copied and pasted by the plug-in vulnerability posts.
Within hours of the release of the plug-in vulnerabilities, the zero-day vulnerabilities were actively exploited. It took 11 days for plug-in vulnerabilities to have the Yuzo Related Posts server discarded to report in-the-wild exploits. There were no reports of attacks on any of the disclosure vulnerabilities.
All three posts of the plug-in vulnerabilities had Boilerplate language in it, indicating that the unnamed author was publishing them in protest of the "moderators of the WordPress support forum's still inappropriate behavior". The author told Ars that he did not try to notify developers after the release of the zero days.
"Our current disclosure policy is to fully expose vulnerabilities and then notify the developer through the WordPress support forum, even though the moderators too often delete those messages and not inform anyone," the author wrote in an email.
According to a blog entry Warfare Plugins by Social Warfare released Thursday, this is the schedule for March 21st, when Plugin Vulnerabilities rejected the Zeroday for this plugin:
14:30 (Approx.) – An unnamed person has published the exploit that hackers can benefit from. We do not know the exact time of publication, as the publication time has been hidden by the person. Attacks on unsuspecting websites start almost immediately.
14:59 clock – WordPress detects the release of the vulnerability, removes Social Warfare from the WordPress.org repository, and sends an email to our team about the issue.
15.07 clock – In a responsible and respectable manner, WordFence publishes the discovery of the release and the vulnerability and does not provide details on how the exploit can be used.
15:43 clock – Each member of the Warfare Plugins team is updated, receives tactical instructions, and begins to respond to the situation in each area: Development, communication and customer care,
16:21 – A notification that we know about exploits was displayed along with instructions for disabling the plugin up to a patch posted on Twitter as well as on our website.
17:37 clock – The Warfare Plugins development team sets final code commitments to correct the vulnerability and reverse any malicious script insertion that redirected sites. Internal tests begin.
17:58 clock – After thorough internal testing and sending a patched version to WordPress for review, the new version of Social Warfare (3.5.3) will be released.
18:04 – E-mail to all Social War – Pro Customers are sent with details about the vulnerability and instructions for immediate upgrade.
The author said that he / she searched for security after Yuzo Related Posts and Yellow Pencil, after noticing that they were removed from the WordPress plug-in repository without explanation and became suspicious. "So, while our posts could have led to exploitation, so too [sic] There may be a parallel process, "wrote the author.
The author also pointed out that eleven days had elapsed between the publication of the Yuzo Related Post and the first known reports. These exploits would not have been possible had the developer fixed the vulnerability during this interval.
Asked if the innocent end users and site owners affected by the exploits were repentant, the author said, "We have no direct knowledge of what hackers are doing, but it's likely that our disclosures will lead to exploitation These full disclosures would have ceased long ago if the moderation of the support forum were simply cleaned up, so any damage caused by them could have been avoided if they had simply agreed. "
The author denied specifying a name or identifying any plug-in vulnerabilities unless it was a service provider that found vulnerabilities in WordPress plug-ins. "We try to stay a step ahead of hackers because our customers pay us to warn them about vulnerabilities in the plugins they use, and it's obviously better to warn them before they can be exploited."
Whois plugin vulnerabilities?
The Plug-In Vulnerability Web site has a copyright footer on each page that lists White Fir Designs, LLC. Whois records for pluginvulnerabilities.com and whitefirdesign.com also list the owner as White Fir Designs of Greenwood Village, Colorado. A business database search for the state of Colorado shows that White Fir Designs was founded in 2006 by someone named John Michael Grillot.
The author's core point with WordPress Support Forum moderators, according to threads such as this one, is that he removes his posts and deletes his accounts when he exposes unprotected vulnerabilities in public forums. A recent media article said he was "suspended for life", but had vowed to continue the practice indefinitely with fictitious accounts. Posts like this one show that public outrage at plugin vulnerabilities to WordPress support forums has been in progress since at least 2016.
To be sure, there is a lot of blame that has been spread in recent exploits. Volunteer-submitted WordPress plug-ins have long been the biggest security risk for websites running WordPress. So far, developers of open source CMS have found no way to improve the quality sufficiently. In addition, it often takes too long for plug-in developers to fix critical vulnerabilities, and site administrators need to install them. The blog entry for Warfare Plugins is one of the best excuses that has ever been made to miss the critical bug before it was exploited.
The bulk of the blame, however, lies far with a self-described security service willing to drop Zerodays as a form of protest or, alternatively, as a way to ensure customer safety (as if an exploit code were required). Without apology and no remorse from the publisher – not to mention a staggering number of flawed, badly-tested plugins in the WordPress repository – it would not be surprising to see more zero disclosures in the coming days.
This post has been updated to remove the wrong details about White Fir Design.