WordPress Yellow Pencil Plugin Flaws Actively Exploited

WordPress Yellow Pencil Plugin Flaws Actively Exploited

Yet one more WordPress plugin, Yellow Pencil Visible Theme Customizer, is being exploited within the wild after two software program vulnerabilities had been found.

The maker of a WordPress plugin, Yellow Pencil Visible Theme Customizer,  is asking all customers to right away replace after it was found to have software program vulnerabilities which might be being actively exploited.

The attacker exploiting these flaws has been behind a number of different latest plugin assaults these previous few weeks, researchers stated.

A visible-design plugin which permits customers to type their web sites, Yellow Pencil has an energetic set up base of greater than 30,000 web sites. Nonetheless, the plugin was found to have two software program vulnerabilities which at the moment are beneath energetic exploit.

In a safety replace on its web site, Yellow Pencil urged customers to replace to the most recent model of the plugin, 7.2.zero, as quickly as attainable: “In case your web site doesn’t redirect to malware web site, your web site just isn’t hacked however you need to replace the plugin rapidly to the most recent model for conserving your web site protected. 7.2.zero model is protected and all older variations is beneath danger now.”

In keeping with WordPress, the plugin was faraway from the plugin repository on Monday and is now not out there for obtain. A safety researcher then “made the irresponsible and harmful determination to publish a weblog publish together with a proof of idea (POC) detailing methods to exploit a set of two software program vulnerabilities current within the plugin” – after which the exploits started, Wordfence researchers stated.

“We’re seeing a excessive quantity of makes an attempt to take advantage of this vulnerability,” researchers with Wordfence stated in a Thursday publish outlining the exploits. “Web site homeowners operating the Yellow Pencil Visible Theme Customizer plugin are urged to take away it from their websites instantly.”


Researchers stated that one of many two flaws within the plugin is a privilege-escalation vulnerability that exists in its yellow-pencil.php file. This file has a perform that checks if a particular request parameter (yp_remote_get) has been set – and if it has, the plugin promptly escalates the customers’ privileges to that of an administrator.

That implies that any unauthenticated person might carry out web site admin actions, like altering arbitrary choices or extra.

The second flaw is “a cross-site request forgery (CSRF) examine is lacking within the perform under that may have made it far more troublesome to take advantage of,” researchers stated.

Yellow Pencil didn’t reply to a request for additional remark from Threatpost.

Plugin Exploit Specialists?

Researchers with Wordfence stated they’re “assured” that the plugin is being exploited by the identical menace actor who has exploited different plugins – together with Social Warfare and Simple WP SMTP, in addition to Yuzo Associated Posts, which was additionally found being exploited this week.

That’s as a result of the IP tackle of the area internet hosting the malicious script within the assaults is similar for the exploits within the different assaults, they stated.

“We’re once more seeing commonalities between these exploit makes an attempt and assaults on not too long ago found vulnerabilities within the Social Warfare, Simple WP SMTP and Yuzo Associated Posts plugins,” they stated.  “We’re assured that each one 4 assault campaigns are the work of the identical menace actor.”

Don’t miss our free Threatpost webinar, “Information Safety within the Cloud,” on April 24 at 2 p.m. ET.

A panel of specialists will be part of Threatpost senior editor Tara Seals to debate methods to lock down information when the standard community perimeter is now not in place. They may talk about how the adoption of cloud providers presents new safety challenges, together with concepts and finest practices for locking down this new structure; whether or not managed or in-house safety is the best way to go; and ancillary dimensions, like SD-WAN and IaaS.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.