Popular Yuzo WordPress Plugin Exploited to Redirect Users to Scams

A vulnerability in the famous WordPress plugin called Yuzo Related Posts is being centered with the aid of attackers to inject JavaScript into the pages of the website online. This JavaScript will purpose visitors to be redirected to web sites displaying scams, together with tech guide scams, and websites selling undesirable software along with browser extensions.

On March 30th, 2019, the developer of Yuzo Related Posts removed the plugin from the WordPress plugin directory after a WordPress protection corporation publicly disclosed the vulnerability. While this averted new users from being infected, the 60,000+ present installs were now not notified and hence were vulnerable.

Attackers have currently commenced exploiting the vulnerability, which plugin users observed today as their WordPress web sites abruptly started out redirecting customers to unwanted sites. After closer exam, the users determined that a vulnerability changed into allowing attackers to adjust the yuzo_related_post_options fee of the wp_options table to comprise the subsequent JavaScript script.

Once injected, the browser will load the script located at hellofromhony[.]org, in order to then cause visitors to be redirected thru a chain of web sites till they land on a scam web page.  When BleepingComputer examined these redirects, we have been added to diverse “spin the wheel” kind rip-off pages, surveys, an unwanted extension page, and the tech aid scam shown underneath.

According to Defiant researcher Dan Moen, who wrote about this vulnerability nowadays, missing authentication checks allowed attackers to modify the yuzo_related_post_options fee a good way to inject the script.  This is being achieved thru the unsuitable use of the is_admin characteristic, which is used to determine if a user is inside the administrator phase of a WordPress web page instead of a normally misused way of checking if a consumer is an admin.

In an e-mail with BleepingComputer, the Yuzo developer who goes by way of the call even stated that they are currently working on resolving the vulnerabilities and that each person currently the use of the plugin must dispose of it until a new version is released.

Injected scripts have lots in not unusual with preceding WordPress assaults
According to Moen, the injected scripts have plenty in not unusual with previous assaults at the Social Warfare and Easy WP SMTP plugins.

Like the assaults on Yuzo, the preceding attacks utilized a host that had the equal IP deal with as the only utilized by hellofromhony[.]org and injected scripts that brought on redirection to unwanted websites..


“Exploits to date have used a malicious script hosted on hellofromhony[.]org, which resolves to 176.123.Nine[.]fifty three.”, Moen defined. “That same IP deal with was used in the Social Warfare and Easy WP SMTP campaigns. In addition, all 3 campaigns worried exploitation of saved XSS injection vulnerabilities and feature deployed malicious redirects. We are assured that the procedures, strategies and approaches (TTPs) in all 3 attacks factor to a commonplace hazard actor.”

Proof of Concept disclosed on March thirtieth
The Yuzo developer took down the plugin on March 30th after the researchers at Pluginvulnerabilities.Com publicly disclosed proof of concept of the vulnerability.

“A bad individual observed a computer virus in Uuzo and this becomes what brought on the redirection. It’s from the plugin and if I’m working on it,” the Yuzo developer told BleepingComputer.

According to the researchers at pluginvulnerabilities.Com, they disclosed the vulnerability in protest to what they sense is “beside the point conduct” from WordPress moderators.

Update four/eleven/19: The researchers behind Pluginvulnerabilities.Com told BleepingComputer that they’d disclosed the vulnerability after the Yuzo plugin become already removed from the WordPress listing.

Ashley Stephens

Read Previous

New WordPress Plugin SomeNano Allows Creators To Charge Nano Coin For Exclusive Content

Read Next

WordPress removes vulnerable Yuzo Related Posts plugin