If you have this plugin installed, even if it’s not active, delete it immediately!
Yuzo Related Posts Zero-Day Vulnerability Exploited in the Wild
by Dan Moen, Wordfence.com
April 10, 2019
The Yuzo Related Posts plugin, which is installed on over 60,000 websites, was removed from the WordPress.org plugin directory on March 30, 2019 after an unpatched vulnerability was publicly, and irresponsibly, disclosed by a security researcher that same day. The vulnerability, which allows stored cross-site scripting (XSS), is now being exploited in the wild. These attacks appear to be linked to the same threat actor who targeted the recent Social Warfare and Easy WP SMTP vulnerabilities.
The XSS protection included in the Wordfence firewall protects against the exploit attempts we have seen so far. Both free and Premium Wordfence users are protected against these attacks. Based on a deeper analysis of the security flaws present in the plugin we have also deployed protection against additional attack vectors. Premium customers will receive the update today, free users in 30 days. We recommend that all users remove the plugin from their sites immediately.
Today, eleven days after this vulnerability was irresponsibly disclosed and a proof-of-concept (PoC) was published, threat actors have begun exploiting sites with Yuzo Related Posts installed.
When a user visits a compromised website containing the above payload, they will be redirected to malicious tech support scam pages.
Three Vulnerabilities with a Lot in Common
Our analysis shows that the attempts to exploit this vulnerability share a number of commonalities with attacks on two other vulnerabilities discovered in other plugins: Social Warfare and Easy WP SMTP.
Exploits so far have used a malicious script hosted on hellofromhony[.]org, which resolves to 176.123.9[.]53. That same IP address was used in the Social Warfare and Easy WP SMTP campaigns. In addition, all three campaigns involved exploitation of stored XSS injection vulnerabilities and have deployed malicious redirects. We are confident that the tactics, techniques and procedures (TTPs) in all three attacks point to a common threat actor.
As was the case a few weeks ago, the irresponsible actions of a security researcher has resulted in a zero-day plugin vulnerability being exploited in the wild. Cases like this underscore the importance of a layered security approach which includes a WordPress firewall.
Site owners running the Yuzo Related Posts plugin are urged to remove it from their sites immediately, at least until a fix has been published by the author. (Wordfence Premium customers and free users have been protected against the current attacks we’re seeing in the wild. An additional firewall rule to protect against alternate exploits has been developed and deployed to our Premium customers today and will be available to free users in 30 days.)
This vulnerability is being actively exploited now.
From the WordPress plugin page:
The term “Yuzo” doesn’t show in your dashboard but if you have it installed it will look like this in the plugins list:
Deactivate it and then DELETE it now. Even deactivated, the plugin can be exploited.