What is the issue - A vulnerability in WordPress plugin ‘Yuzo related posts’ has been exploited by attackers to inject JavaScript and redirect users to scam pages.
Why it matters - This plugin has over 60000 installations and the users have not been notified about the vulnerability.
The big picture
Worth noting - A security researcher at Defiant, Dan Moen noted that missing authentication checks allowed attackers to modify the yuzo_related_post_options value in order to inject the script.
“Developers often mistakenly use is_admin() to check if a piece of code that requires administrative privileges should be run, but as the WordPress documentation points out, that isn’t how the function should be used. In this scenario self::_ini_() is called on any request to an administrative interface page, including /wp-admin/options-general.php and /wp-admin/admin-post.php, which allows a POST request to those pages to be processed by self::save_options(); later in the code,” Moen wrote in a blog.
What’s the conclusion?
The developer of Yuzo who goes under the name ‘iLen’ stated that they are working on fixing the vulnerability and anyone using the plugin should uninstall it until a new version is released.
“A bad person found a bug in Uuzo and this was what caused the redirection. It's from the plugin and if I'm working on it,” the Yuzo developer told BleepingComputer.
However, the developer removed the plugin from the WordPress plugin directory on March 30, 2019, after the researchers at Pluginvulnerabilities.com publicly disclosed the vulnerability.
Publisher