Attackers exploited the Yuzo WordPress plugin to redirect users to scam pages

• A vulnerability in WordPress plugin ‘Yuzo related posts’ has been exploited by attackers to inject JavaScript and redirect users to scam pages.
• A security researcher noted that missing authentication checks allowed attackers to modify the yuzo_related_post_options value in order to inject the script.

What is the issue - A vulnerability in WordPress plugin ‘Yuzo related posts’ has been exploited by attackers to inject JavaScript and redirect users to scam pages.

Why it matters - This plugin has over 60000 installations and the users have not been notified about the vulnerability.

The big picture

• The vulnerability in the WordPress plugin ‘Yuzo related posts’ allowed attackers to modify the yuzo_related_post_options value of the wp_options table to contain a JavaScript.
• This script will create a new script tag with source ‘https://hellofromhony[.]org/counter’, and the script will be injected into the head of the page.
• Once injected, this script will redirect users to several websites before landing them in a scam page.
• This scam page will be any kind of unwanted extension page or a survey, spin-the-wheel type scam page, or any tech support scam page.

Worth noting - A security researcher at Defiant, Dan Moen noted that missing authentication checks allowed attackers to modify the yuzo_related_post_options value in order to inject the script.

“Developers often mistakenly use is_admin() to check if a piece of code that requires administrative privileges should be run, but as the WordPress documentation points out, that isn’t how the function should be used. In this scenario self::_ini_() is called on any request to an administrative interface page, including /wp-admin/options-general.php and /wp-admin/admin-post.php, which allows a POST request to those pages to be processed by self::save_options(); later in the code,” Moen wrote in a blog.

What’s the conclusion?

The developer of Yuzo who goes under the name ‘iLen’ stated that they are working on fixing the vulnerability and anyone using the plugin should uninstall it until a new version is released.

“A bad person found a bug in Uuzo and this was what caused the redirection. It's from the plugin and if I'm working on it,” the Yuzo developer told BleepingComputer.

However, the developer removed the plugin from the WordPress plugin directory on March 30, 2019, after the researchers at Pluginvulnerabilities.com publicly disclosed the vulnerability.