Threat Watch

WordPress Yuzo Plugin Flaw

Used by over 60,000 websites, Yuzo Related Posts is a plugin that allows WordPress users to see posts related to the content they are viewing. After a flaw within Yuzo was discovered and publicly disclosed by a researcher on March 30th, 11 days later it was found being exploited in the wild. WordPress is urging its users to remove the plugin that contains a cross-site scripting flaw (XSS) which can be used by attackers to bypass access controls and redirect users to a malicious site, deface websites, and obtain login information for WordPress administrator accounts. It is suspected that the flaw comes from missed authentication checks and it lies within the plugin’s settings storage. A few companies and users have already come forward and verified that they have been affected by the exploitation of the flaw. A tweet posted by the company Mana Journal read, “We’ve identified a problem with one of our WordPress plugins, Yuzo Related Posts, which was causing some users to be re-directed to nasty advertising websites. We apologize for this and have now permanently removed the plugin from our server.” A report was released in January which stated that nearly 98 percent of WordPress vulnerabilities stem from third-party plugins.

 

ANALYST NOTES

WordPress users are recommended to have automatic updates enabled. They should also keep a close watch on the third-party plugins they use and their activity, and also keep on the lookout for news of vulnerabilities that may affect them.