On March 30th, 2019, the developer of Yuzo Related Posts removed the plugin from the WordPress plugin directory after a WordPress security company publicly disclosed the vulnerability. While this prevented new users from being infected, the 60,000+ existing installs were not notified and thus were vulnerable.
When deobfuscated, we can see that the script will create a new script tag with a source of https://hellofromhony[.]org/counter, which will be injected into the head of the page.
Once injected, the browser will load the script located at hellofromhony[.]org, which will then cause visitors to be redirected through a series of sites until they land on a scam page. When BleepingComputer tested these redirects, we were brought to various “spin the wheel” type scam pages, surveys, an unwanted extension page, and the tech support scam shown below.
According to Defiant researcher Dan Moen, who wrote about this vulnerabilty today, missing authentication checks allowed attackers to modify the yuzo_related_post_options value in order to inject the script. This is being done through the improper use of the is_admin function, which is used to determine if a user is in the administrator section of a WordPress site rather than commonly misused way of checking if a user is an admin.
“Developers often mistakenly use
is_admin() to check if a piece of code that requires administrative privileges should be run, but as the WordPress documentation points out, that isn’t how the function should be used. In this scenario
self::_ini_() is called on any request to an administrative interface page, including
/wp-admin/admin-post.php, which allows a POST request to those pages to be processed by
self::save_options(); later in the code.”
In an email with BleepingComputer, the Yuzo developer who goes by the name iLen stated that they are currently working on resolving the vulnerabilities and that anyone currently using the plugin should remove it until a new version is released.
Injected scripts have a lot in common with previous WordPress attacks
Like the attacks on Yuzo, the previous attacks utilized a host that had the same IP address as the one used by hellofromhony[.]org and injected scripts that caused redirection to unwanted sites..
“Exploits so far have used a malicious script hosted on
hellofromhony[.]org, which resolves to
176.123.9[.]53.”, Moen explained. “That same IP address was used in the Social Warfare and Easy WP SMTP campaigns. In addition, all three campaigns involved exploitation of stored XSS injection vulnerabilities and have deployed malicious redirects. We are confident that the tactics, techniques and procedures (TTPs) in all three attacks point to a common threat actor.”
Proof of Concept disclosed on March 30th
The Yuzo developer took down the plugin on March 20th after the researchers at Pluginvulnerabilities.com publicly disclosed a proof of concept of the vulnerability.
“A bad person found a bug in Uuzo and this was what caused the redirection. It’s from the plugin and if I’m working on it,” the Yuzo developer told BleepingComputer.
According to the researchers at pluginvulnerabilities.com, they disclosed the vulnerability in protest to what they feel is “inappropriate behavior” from WordPress moderators.