Over the past three weeks, a trio of critical zeroday vulnerabilities in WordPress plugins has exposed 160,000 websites to attacks that allow criminal hackers to redirect unwitting visitors to malicious destinations. A self-proclaimed security provider who publicly disclosed the flaws before patches were available played a key role in the debacle, although delays by plugin developers and site administrators in publishing and installing patches have also contributed.
Over the past week, zeroday vulnerabilities in both the Yuzo Related Posts and Yellow Pencil Visual Theme Customizer WordPress plugins—used by 60,000 and 30,000 websites respectively—have come under attack. Both plugins were removed from the WordPress plugin repository around the time the zeroday posts were published, leaving websites little choice than to remove the plugins. On Friday (three days after the vulnerability was disclosed), Yellow Pencil issued a patch. At the time this post was being reported, Yuzo Related Posts remained closed with no patch available.
In-the-wild exploits against Social Warfare, a plugin used by 70,000 sites, started three weeks ago. Developers for that plugin quickly patched the flaw but not before sites that used it were hacked.
Scams and online graft
All three waves of exploits caused sites that used the vulnerable plugins to surreptitiously redirect visitors to sites pushing tech-support scams and other forms of online graft. In all three cases, the exploits came after a site called Plugin Vulnerabilities published detailed disclosures on the underlying vulnerabilities. The posts included enough proof-of-concept exploit code and other technical details to make it trivial to hack vulnerable sites. Indeed, some of the code used in the attacks appeared to have been copied and pasted from the Plugin Vulnerabilities posts.
Within hours of Plugin Vulnerabilities publishing the Yellow Pencil Visual Theme and Social Warfare disclosures, the zeroday vulnerabilities were actively exploited. It took 11 days after Plugin Vulnerabilities dropped the Yuzo Related Posts zeroday for in-the-wild exploits to be reported. There were no reports of exploits of any of the vulnerabilities prior to the disclosures.
https://arstechnica.com/information-technology/2019/04/a-security-researcher-with-a-grudge-is-dropping-web-0days-on-innocent-users/