Privilege escalation vulnerability in Yellow Pencil Plugin leaves thousands of WordPress sites vulnerable to attacks

• The plugin is estimated to be installed on over 30,000 websites.
• The vulnerability can allow remote attackers to update arbitrary code and take control of websites.

A privilege escalation vulnerability in the Yellow Pencil Visual Theme Customizer plugin has exposed several WordPress sites to various attacks. The plugin is estimated to be installed on over 30,000 websites.

What’s the matter - Discovered by researchers from Wordfence, the vulnerability in the Yellow Pencil plugin can allow remote attackers to update arbitrary code and take control of websites.

Experts observed a high volume of attack attempts after a security researcher publicly disclosed the Proof of Concept (PoC) for the vulnerability along with another security flaw in the plugin.

“On Monday the WordPress plugin Yellow Pencil Visual Theme Customizer was closed in the WordPress.org plugin repository. The plugin is quite popular, with an active install base of over 30,000 websites. On Tuesday a security researcher made the irresponsible and dangerous decision to publish a blog post including a proof of concept (POC) detailing how to exploit a set of two software vulnerabilities present in the plugin,” said security researchers in a blog post.

What is the vulnerability - The privilege escalation vulnerability in question exists in the yellow-pencil.php file. It can allow unauthenticated users to perform unwanted actions such as change arbitrary options that are meant only for site administrators.

“This privilege escalation makes any user capabilities checks later in the plugin moot. As a result, unauthenticated users can perform actions, such as change arbitrary options, that were only meant for site administrators. A cross-site request forgery (CSRF) check is missing in the function below that would have made it much more difficult to exploit,” researchers explained.

What next - Site owners running the Yellow Pencil Visual Theme Customizer plugin are urged to remove it from their sites immediately. The plugin has also been removed from the WordPress plugin repository.

Apart from Yellow Pencil Visual Theme Customizer plugin, experts have also discovered similar attack attempts by exploiting vulnerabilities in Social Warfare, Easy WP SMTP and Yuzo Related Posts plugins.