Yuzo Related Posts WordPress Plugin - Major Security Flaw A critical vulnerability in the code of the well-known WordPress plugin Yuzo Related Post resulted in many malicious XSS redirects to harmful web sites such as hellofromhony.org and silken.ru

Permalink e URL semantiche su Wordpress con IIS

Definitely a bad week for Lenin Zapata, author of the well-known Yuzo Related Post plugin for WordPress. The plugin, installed on over 60,000 websites, was removed from the WordPress.org plug-in directory on March 30, 2019 following the public disclosure of a vulnerability in the code. The vulnerability, currently still without patches, allows the attacker to insert a script into the pages of the websites that have the plugin installed using a technique known as Cross-Site Scripting (XSS).

The vulnerability present in the plugin is the result of an improper use of the is_admin() function, which has the precise purpose of verifying whether the URL accessed is in the administration section but which is mistakenly used by many WordPress plugin developers to check if the current user has or less of administrative privileges. A "misunderstanding" far from trivial, to the point that the WordPress Codex explicitly sees the need to refrain from such misuse:

This Conditional Tag checks if the Dashboard or the administration panel is attempting to be displayed. It is a boolean function that will return true if the URL being accessed is in the admin section, or false for a front-end page. This function does not verify whether the current user has permission to view the Dashboard or the administration panel. Use current_user_can() instead.

Here's the source code containing the security flaw, which is part of the assets/ilenframework/core.php file shipped with the plugin:

As you can see, the code allows to issue a call to the self::ini() function to all requests directed to an administration page - thus including /wp-admin/options-general.php and /wp-admin/admin-post .php - which allows the attacker to inoculate a POST request and, consequently, arbitrarily modify the plugin options via the self::save_options() function (which is called later in the code). Among the various options of the plugin that it is possible to modify in this way there is the yuzo_related_post_css_and_style setting, which allows you to insert custom HTML code within the page: the perfect place to insert a Cross-Site Script in order to perform a series of actions not authorized, including the redirect to another site.

As is now known, the attacker(s) did precisely that, causing a malicious XSS redirect of many yuzo-enabled websites to the hellofromhony.org domain, where the scripts, and then on unsafe sites like silken.ru.

Here's the JavaScript code that was injected inside the yuzo_related_post_css_and_style option:

The malicious script consists of a single eval() statement, a function often used by developers to execute "obfuscated" JavaScript in the form of an encoded string. The code, once decoded, can be read in this way:

As you can see, this is a trivial (but far from harmless) redirect script, which allows the attacker to "hijack" each visitor's browser on a web page of his choice.

A big "thank you" to Wordfence.com, the official website of the excellent Wordfence Security WP plugin, for having published the news and therefore warned the entire WordPress community on one of the most relevant threats of recent times.


About Ryan

IT Project Manager, Web Interface Architect and Lead Developer for many high-traffic web sites & services hosted in Italy and Europe. Since 2010 it's also a lead designer for many App and games for Android, iOS and Windows Phone mobile devices for a number of italian companies. Microsoft MVP for Development Technologies since 2018.

View all posts by Ryan

Leave a Reply

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.

This site uses Akismet to reduce spam. Learn how your comment data is processed.