Home / Security / Popular Yuzo WordPress Plugin Exploited to Redirect Users to Scams

Popular Yuzo WordPress Plugin Exploited to Redirect Users to Scams

Wordpress

A vulnerability in the popular WordPress plugin called Yuzo Related Posts is being targeted by attackers to inject JavaScript into the pages of the site. This JavaScript will cause visitors to be redirected to sites displaying scams, including tech support scams, and sites promoting unwanted software such as browser extensions.

On March 30th, 2019, the developer of Yuzo Related Posts removed the plugin from the WordPress plugin directory after a WordPress security company publicly disclosed the vulnerability. While this prevented new users from being infected, the 60,000+ existing installs were not notified and thus were vulnerable.

Cached Plugin Page for Yuzo Related Posts
Cached Plugin Page for Yuzo Related Posts

Attackers have recently started exploiting the vulnerability, which plugin users noticed today as their WordPress sites suddenly started redirecting users to unwanted sites. After closer examination, the users determined that a vulnerability was allowing attackers to modify the yuzo_related_post_options value of the wp_options table to contain the following JavaScript script.

Injected JavaScript Script
Injected JavaScript Script

When deobfuscated, we can see that the script will create a new script tag with a source of https://hellofromhony[.]org/counter, which will be injected into the head of the page. 

Caption

Once injected, the browser will load the script located at hellofromhony[.]org, which will then cause visitors to be redirected through a series of sites until they land on a scam page.  When BleepingComputer tested these redirects, we were brought to various “spin the wheel” type scam pages, surveys, an unwanted extension page, and the tech support scam shown below.

Tech Support Scam
Tech Support Scam

According to Defiant researcher Dan Moen, who wrote about this vulnerabilty today, missing authentication checks allowed attackers to modify the yuzo_related_post_options value in order to inject the script.  This is being done through the improper use of the is_admin function, which is used to determine if a user is in the administrator section of a WordPress site rather than commonly misused way of checking if a user is an admin.

“Developers often mistakenly use is_admin() to check if a piece of code that requires administrative privileges should be run, but as the WordPress documentation points out, that isn’t how the function should be used. In this scenario self::_ini_() is called on any request to an administrative interface page, including /wp-admin/options-general.php and /wp-admin/admin-post.php, which allows a POST request to those pages to be processed by self::save_options(); later in the code.”

In an email with BleepingComputer, the Yuzo developer who goes by the name iLen stated that they are currently working on resolving the vulnerabilities and that anyone currently using the plugin should remove it until a new version is released.

Injected scripts have a lot in common with previous WordPress attacks

According to Moen, the injected scripts have a lot in common with previous attacks on the Social Warfare and Easy WP SMTP plugins.

Like the attacks on Yuzo, the previous attacks utilized a host that had the same IP address as the one used by hellofromhony[.]org and injected scripts that caused redirection to unwanted sites..

“Exploits so far have used a malicious script hosted on hellofromhony[.]org, which resolves to 176.123.9[.]53.”, Moen explained. “That same IP address was used in the Social Warfare and Easy WP SMTP campaigns. In addition, all three campaigns involved exploitation of stored XSS injection vulnerabilities and have deployed malicious redirects. We are confident that the tactics, techniques and procedures (TTPs) in all three attacks point to a common threat actor.”

Proof of Concept disclosed on March 30th

The Yuzo developer took down the plugin on March 20th after the researchers at Pluginvulnerabilities.com publicly disclosed a proof of concept of the vulnerability.

“A bad person found a bug in Uuzo and this was what caused the redirection. It’s from the plugin and if I’m working on it,” the Yuzo developer told BleepingComputer.

According to the researchers at pluginvulnerabilities.com, they disclosed the vulnerability in protest to what they feel is “inappropriate behavior” from WordPress moderators. 

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

x

Check Also

USN-3805-1: curl vulnerabilities | Ubuntu security notices

USN-4008-2: AppArmor update | Ubuntu security notices

5 June 2019 apparmor update A security issue affects these releases of Ubuntu and its ...