A privilege escalation vulnerability in the Yellow Pencil Visual Theme Customizer plugin exposes WordPress websites to hack. The flaw could be exploited by attackers to update arbitrary options on vulnerable installations.
Early this week, the plugin was removed from the WordPress.org repository. it has been estimated that the plugin is installed on over 30,000 websites.
Experts at security firm
“On Tuesday a security researcher made the irresponsible and dangerous decision to publish a blog post including a proof of concept (POC) detailing how to exploit a set of two software vulnerabilities present in the plugin.” reads the blog post published by Wordfence.
“We are seeing a high volume of attempts to exploit this vulnerability. The exploits very closely resemble the POC posted by the irresponsible researcher.”
The experts said the privilege-escalation vulnerability exists in the yellow-pencil.php file. The file is used to check if the request parameter yp_remote_get has been set, and if it has, the plugin escalates the users’ privileges to that of an administrator.
Experts found similarities with other campaigns recently observed by the security experts, like the attacks that attempted to exploit vulnerabilities
the Social Warfare, Easy WP SMTP and Yuzo Related Posts plugins.
“We’re again seeing commonalities between these exploit attempts and attacks on recently discovered vulnerabilities in the Social Warfare, Easy WP SMTP and Yuzo Related Posts plugins.” continues the analysis. “Exploits so far are using a malicious scrip
“As continues to be the case, a disgruntled security researcher continues to put the WordPress community at risk by publicly disclosing POCs for zero-day vulnerabilities.” concludes Wordfence.
“Site owners running the Yellow Pencil Visual Theme Customizer plugin are urged to remove it from their sites immediately.”