Yuzo Related Post Plugin XSS vulnerabilty

[Fredel007]

hey bps pro team,

we got a xss attack because of a plugin “error”: https://www.google.com/amp/s/www.getastra.com/blog/911/the-wordpress-yuzo-plugin-exploit/amp/
bps pro didnt blocked / promted this, can you explain why and give a hint which other plugin we may add?
we have activated all relevant plugin features before attack and scanned all code. the plugin was installws before activating bps.

[Fredel007]

ps: sorry for code, wrote that post in mailprogramm before posting..

[AITpro Admin]

What is the error message that you are seeing?  What is the name of the plugin that is causing the problem?  I read the Post in the link you posted above, but it looks like there are 2 different plugins involved in that exploit.  The Yuzo plugin and the Related Posts plugin.  I see that you first installed BPS Pro on your website(s) yesterday.  If your website was already hacked before installing BPS Pro then you will need to cleanup the hackers code/files from your website/hosting account using the help steps in this forum topic > https://forum.ait-pro.com/forums/topic/wordpress-hacked-wordpress-hack-cleanup-wordpress-hack-repair/. Note: Assuming your website is hacked and if the Yuzo/Related Posts hack is contained and has not given the hacker full control of your website and hosting account then you may only need to cleanup the Yuzo/Related Post hack and not have to do any of the other hack cleanup steps in the hack cleanup help forum topic. Recommended: Look through your files in your hosting account root folder for any suspicious files. Check your wp-config.php file for any hacker code and check your Theme files for any hacker code.

[Fredel007]

Hello, thanks for fast Feedback.

it was the Yuzo Related Post Plugin.

More Infos on the issue: https://cyware.com/news/attackers-exploited-the-yuzo-wordpress-plugin-to-redirect-users-to-scam-pages-ff5eb85d

https://www.getastra.com/blog/911/the-wordpress-yuzo-plugin-exploit/

The Site was then redirected to third party.
The hack was pushed in Database after installing BPS Pro & Firewall.
I asked myself if that isnt s.th. BPS Pro should have recongnized / blocked?

Thanks so much!

Best

[AITpro Admin]

It looks like the XSS Injection hack adds hacker code in these possible files:

https://www.getastra.com/blog/911/wordpress-hacked-redirect-wordpress-website-redirecting-to-malicious-pages/

WordPress Redirect Hack: Where is the WordPress Redirect Infection?

Attackers can infect the website by injecting code in any of the core files on WordPress. Check these files for the following malicious codes:

• Index.php
• Index.html
• .htaccess file
• Theme files
  1. Footer.php
  2. Header.php
  3. Functions.php

Some codes even infect .js files, which includes jquery.js file. You can also find some of the malicious codes in the source code of the page.

So it does not look like the hack adds any code in any Yuzo Related Posts plugin and that would mean that the BPS Pro Plugin Firewall would not block any of the existing hackers code since the BPS Pro Plugin Firewall protects all plugin folders and files in the WordPress /plugins/ folder. If the exploit is done by using a front facing Yuzo Related Posts plugin file then that Yuzo Related Posts plugin file will be whitelisted in the BPS Pro Plugin Firewall so that it would work correctly and not be blocked. The Yuzo Related Posts plugin file that has the bad/vulnerable code in it is this one > assets/ilenframework/core.php, which would be protected by the BPS Pro Plugin Firewall, BUT if there is a front facing plugin script for this plugin that includes the assets/ilenframework/core.php file then the assets/ilenframework/core.php would NOT be protected since the internal call to the assets/ilenframework/core.php file would be allowed and not be protected due to the front facing Yuzo Related Posts plugin file that is whitelisted in the BPS Pro Plugin Firewall.

Since the hack already existed before you installed the BPS Pro plugin then you will need to cleanup the hack and then BPS may be able to protect against any further attacks, BUT keep in mind that BPS Pro does not interfere with what is seen as the normal functionality of a plugin. So if there is a flaw/bug somewhere in a plugin’s code BPS Pro is not going to interfere with what is seen as “normal plugin functionality”.

I searched the Internet regarding the Yuzo Related Posts plugin and everyone is recommending the same thing – uninstall the Yuzo Related Posts plugin until a new patched Yuzo Related Posts plugin is released.

[Fredel007]

ok thanks, also that it changed wp_options is not possible to block?

PS: Wordfence says they can block? I thought its besser just using BPO Pro 🙂

https://www.wordfence.com/blog/2019/04/yuzo-related-posts-zero-day-vulnerability-exploited-in-the-wild/

best

[AITpro Admin]

In general, you would not to block, protect or do anything with the WordPress wp_options database table directly.  What I do not know is the exact sequence of the exploit, but what I assume is happening is that the exploit allows javascript to be injected/saved directly into the Yuzo Related Posts plugin’s option settings in the wp_options database table. Then what I assume is happening is the code that is injected into the Yuzo Related Posts plugin’s option settings is used to create/inject/edit other WordPress files on a website.

So if you remove all of the existing hackers code in your database and files and if the Yuzo Related Posts plugin does NOT include the Yuzo Related Posts plugin assets/ilenframework/core.php file in a frontloading plugin script then yes the BPS Pro Plugin Firewall will protect the vulnerable Yuzo Related Posts plugin assets/ilenframework/core.php file and will block the hack and will protect the WordPress wp_options database table from the XSS injection into the Yuzo Related Posts plugin option settings.  If you want to download, zip and send me the zipped Yuzo Related Posts plugin then I can give you an exact answer.  Send the Yuzo Related Posts plugin zip file here:  info at ait-pro dot com.

[Fredel007]

thank you, just send!

Best

[AITpro Admin]

The vulnerability is much worse than I thought it was.  Since the Yuzo Related Posts plugin has used the WordPress is_admin() function incorrectly then it allows injecting code into the plugin’s database option settings by sending a POST Request to these 2 WordPress files:  /wp-admin/admin-post.php?page=yuzo-related-post and /wp-admin/options-general.php?page=yuzo-related-post.  The BPS Pro Plugin Firewall does protect this Yuzo Related Posts plugin file from direct access:  /yuzo-related-posts/assets/ilenframework/core.php, but that is not where the exploit is being done and is only where the vulnerable code exists that allows the exploit to succeed.  The /yuzo-related-posts/assets/ilenframework/core.php is loaded internally on every page load in the main plugin file yuzo-related-posts.php:  require_once "assets/ilenframework/core.php";. So what that means is when a hacker sends a POST Request injection to either the WordPress /wp-admin/admin-post.php file or the /wp-admin/options-general.php file then the internally loaded /yuzo-related-posts/assets/ilenframework/core.php allows the plugin database options to be updated in your WordPress database without the user being logged into a website.

The only way to block a vulnerability of this type would be to create a specific security rule that blocks the specific attack string used to do this XSS injection since is_admin() was used incorrectly allowing a non-authenticated user to inject data into the WordPress database.  I see a couple of other security vulnerabilities as well that no one is talking about… yet.

Definitely delete this plugin and either find another “Related Posts” plugin or wait for the plugin author to release a new version.

Interesting Note:  The security vulnerability in the Yuzo Related Posts plugin has existed for at least 4 years before a hacker figured out this exploit.  Checking the GitHub Repository shows this last modified date:  Aug 12, 2015 for the /yuzo-related-posts/assets/ilenframework/core.php file.

[Fredel007]

hello & thanks for details. what i asking myself is why two other similar providers of firewalls are claiming that sites had been protected when using their software. is there a good add-on software für bbs? thanks

@other vulnerabilities: i hope i never find out 🙂

[AITpro Admin]

We could create a specific security rule to block this specific attack, which is what the other security plugins have done after the fact.  I googled that and see that new WAF security rules were created to block the specific attack string used in this exploit, but the bigger problem is how the Yuzo Related Posts plugin is coded in general.

That plugin’s code needs to be fixed because it contains code that is fundamentally incorrect/bad.  I would not personally install or use a plugin that I know is not coded correctly.  The Yuzo Related Posts plugin author is working on getting a new version released that will have fixed the fundamental coding mistakes in that plugin.

The fundamental coding mistake is that the Yuzo Related Posts plugin allows access to the wp-admin area from the frontend of a website for a user that is not logged in/authenticated.  The access does not allow a user to gain literal/physical login access to the wp-admin area, but does allow injections by bypassing wp-admin authentication since the Yuzo Related Posts plugin allows updating the WordPress database remotely by a user that is not logged into the website.  So knowing this, would you still want to keep this vulnerable plugin installed or remove it and wait for a fix or get another plugin?

Now this is the important thing > Since the Yuzo Related Posts plugin allows code injections into your WordPress database and website files then it is very likely that a code injection on a website could lead to your entire hosting account being compromised.  Example: If a hacker injects code that allows a backdoor hacker file to be uploaded to your hosting account then the hacker will have full control of your entire hosting account.  If this were my site I would assume the worst case scenario and check the entire hosting account for any hacker files.  That needs to be done manually by a human.  Malware scanners do not typically find all hacker files and code.

If you had BPS Pro installed before this hack occurred then BPS Pro AutoRestore|Quarantine would autorestore and/or quarantine all modified or uploaded files to your website/hosting account, but that is a temporary solution that would stop the hack and would keep the hack from spreading further. Example:  a hacker injects code into one of your theme files:  AutoRestore|Quarantine would quarantine the modified theme file and would autorestore a good/clean unmodified theme file that does not contain the injected hacker code, but the hacker can still keep trying the same hack repeatedly since the Yuzo Related Posts plugin is fundamentally coded incorrectly and allows code injections into the WordPress database and website files.

In summary, at this point you need to assume the worst case scenario and check your entire hosting account for any hacker files and code and clean it up > You can use this help guide and do some of the help steps as a guide to cleaning up your website/hosting account > https://forum.ait-pro.com/forums/topic/wordpress-hacked-wordpress-hack-cleanup-wordpress-hack-repair/. I considered creating a specific security rule that would block the hack, but have decided that is not really a smart thing to do. Why? Because the Yuzo Related Posts plugin is fundamentally coded incorrectly. This is not an isolated and specific problem with the plugin – the entire plugin itself is a security risk/vulnerability. You should remove it from your website/hosting account.

If the reason you are trying to keep the Yuzo Related Posts plugin installed is that you do not want to lose all of the work that you have created and saved using this plugin then make a database backup. So that you have a copy of your work. When a new plugin version of the plugin is released with fixed code then you can restore your database backup. Personally I would not do that myself and would instead manually write down any work that I had done and then nuke Yuzo Related Posts plugin entirely.

[Fredel007]

thanks for super fast and detailled answer, got it.

just one question: “If you had BPS Pro installed before this hack occurred then BPS Pro AutoRestore|Quarantine would autorestore and/or quarantine all modified or uploaded files to your website/hosting account, but that is a temporary solution that would stop the hack and would keep the hack from spreading further. ”

at least on my page that did not happend. i had bps pro installed and during this the modification in the database was done without any notification / quarantine. or do you mean s.th. else?

@code quality: good if you are a developer, i loved to get into code and know if its safe or not (and some 600k others hadn´t as wenn ;( )

[Fredel007]

sorry, i already deleted that plugin of course but just want to be sure for the future if s.th. else happens 🙂

[AITpro Admin]

had bps pro installed and during this the modification in the database was done without any notification / quarantine. or do you mean s.th. else?

Unfortunately, that means that the hack occurred before you had BPS Pro installed. You can verify that by comparing hacked website files with AutoRestore backup files here > /wp-content/bps-backup/autorestore/[rest of the path to a specific file]. If a hacked file with injected code exists in AutoRestore backup then the hack had already occurred on your website since the hacked file was backed up to AutoRestore backup. It is very common for website owners to not be aware that their website is hacked for months or sometimes years until something unusual is noticed that gives the hack away. The Yuzo Related Posts plugin security vulnerability has only been publicly revealed to the masses about a week ago, but the Yuzo Related Posts plugin security vulnerability has existed for at least 4 years. 😉

sorry, i already deleted that plugin of course but just want to be sure for the future if s.th. else happens

BPS Pro AutoRestore|Quarantine will stop this type of hack from being successful as long as BPS Pro is installed before the hacking attempt occurs.

[Author]

Posts