The Yuzo Related Posts plugin was removed from the WordPress plugin store on March 30th, 2019. after a zero-day vulnerability was publicly, and irresponsibly, disclosed by a security researcher the same day.
The Yuzo Related Posts plugin is currently installed on over 60,000 websites worldwide that at the time of writing are yet to be notified.
Many users reported that threat actors in the wild have recently started exploiting the vulnerability, they noticed that their websites were redirecting users to unwanted sites.
According to security experts at WordFence, the vulnerability in Yuzo plugin stems from missing authentication checks in the plugin routines used to store settings in the database.
“The vulnerability in Yuzo Related Posts stems from missing authentication checks in the plugin routines responsible for storing settings in the database.” reads the blog post published by WordFence.
The Plugin author Lenin Zapata provided the following suggestion to halt the attack:
Soon I will send an improved version of Yuzo for all users.
Once deobfuscated, the script will create a new script tag with a source of https://hellofromhony[.]org/counter, which will be injected into the head of the page. When a user visits a compromised website will be redirected to malicious websites, such as tech support scam pages.
WordFence researchers believe that the attacks were carried out by the same threat actors that targeted WordPress installs using the Social Warfare and Easy WP SMTP plugins.
The exploits against the above pluging have used a malicious script hosted on the domain hellofromhony[.]org, which resolves to 176.123.9[.]53, that is same IP address involved in the Social Warfare and Easy WP SMTP campaigns. All three campaigns leverage stored XSS injection vulnerabilities and have deployed malicious redirects.
“Cases like this underscore the importance of a layered security approach which includes a WordPress firewall.” concludes WordFence
“Site owners running the Yuzo Related Posts plugin are urged to remove it from their sites immediately, at least until a fix has been published by the author.”