A trio of critical zero-day vulnerabilities in WordPress plugins has exposed 160,000 websites to attacks after a security researcher publicly disclosed the flaws before patches were made available.
The Yuzo Related Posts and Yellow Pencil Visual Theme Customizer WordPress plugins that are used by 60,000 and 30,000 websites respectively came under attack once flaws in their code were revealed publicly online.
When the zero-day posts were published, both plugins were removed from the WordPress plugin repository which led websites to remove the plugins or risk being attacked themselves. Yellow Pencil issued a patch three days after the vulnerability was disclosed but the Yuzo Related Posts plugin remains closed as no patch was developed for it.
Additionally, the plugin Social Warfare, which is used by 70,000 sites, was hit with in-the-wild exploits after security flaws in its code were posted publicly. The plugin’s developers quickly patched the flaw but unfortunately it was too late as sites that used it were already hacked.
All three of the vulnerable plugins were hacked to redirect visitors to sites that pushed tech-support scams and other types of online fraud.
One thing they all shared in common though, is the fact that the exploits arrived after a site called Plugin Vulnerabilities published detailed posts disclosing the underlying vulnerabilities. These posts included enough technical details and proof-of-concept exploit code that hackers could easily use this information to attack the vulnerable plugins and to make matters worse some of the code used in the attacks had clearly been copied and pasted from the posts on Plugin Vulnerabilities.
Once the Yellow Pencil Visual Theme and Social Warfare vulnerabilities were disclosed, they were exploited by hackers within hours. The Yuzo Related Posts zero-day on the other hand was out in the wild for 11 days before it was exploited.
The security researcher at Plugin Vulnerabilities responsible for publishing the posts detailing the zero-day vulnerabilities explained why he had chosen to do so to Ars Technica, saying:
“Our current disclosure policy is to full disclose vulnerabilities and then to try to notify the developer through the WordPress Support Forum, though the moderators there… too often just delete those messages and not inform anyone about that.”
Basically the security researcher decided to publish the zero-day vulnerabilities on their own site after posts they made about the vulnerabilities were removed from the WordPress Support Forum for breaking its rules. While informing developers regarding zero-day vulnerabilities is one thing, posting them publicly where anyone, even hackers, can see them is a different story altogether.
Via Ars Technica