Zero-day Vulnerability in WordPress Yellow Pencil Plugin Exploit [FIX]

Updated on

 Zero-Day Vulnerability Yellow Pencil WordPress plugin


Yellow Pencil Visual CSS Style Editor Plugin

Yellow Pencil WordPress Exploit

Privilege Escalation Vulnerability

What is Common in this explot?

How To fix it?

So, we have another WordPress plug-in, Yellow Pencil Visual Theme customizer which has been exploited as we discover two software vulnerabilities. The vulnerability is similar to the? Easy WP SMTP plugin vulnerability we talked about last week. Another one was a Zero-Day WordPress Plugin Vulnerability In Social Warfare Plugin

Attackers who are exploiting these flaws to hack wordpress site are responsible for other plug-in attacks in the past weeks, as per researchers. Yellow Pencil is a visual design plug-in that lets users design their website. It’s being actively installed for over 30,000 websites. Plug-in is found to have two software vulnerabilities which are facing heavy exploit.

Founders of Yellow Pencil Visual Theme Customizer have asked all its users to update it as soon as possible once it was found out that it had software vulnerabilities were being actively exploited. Lets know more about it and how to fix it in detail.

? Yellow Pencil WordPress Plugin – Visual CSS Style Editor

Yellow Pencil WordPress Plugin - Visual CSS Style Editor

Yellow Pencil WordPress plugin is used to Customize any WordPress site in minutes. Edit fonts, colors, sizes and more. YellowPencil’s robust, intuitive features, make the plugin unique. YellowPencil Visual CSS Editor generating the CSS code as a professional front-end developer.

An update has been shared on its website which asked users of Yellow Pencil to update to latest plug-in version, 7.2.0 as soon as possible. If your website doesn’t get redirected to malware website, then your website isn’t hacked. But it’s still advisable to redirect to malware website to ensure the safety of your website. 7.2.0 Version is secure and all the previous versions are under risk. 

As per WordPress, plugin has been removed from the plugin repository on Monday and can’t be used any longer for download. But a researcher took the dangerous and highly irresponsible decision of publishing a blog post regarding the method of exploiting a set of two software vulnerabilities in plug-in along with (POC) proof of concept” this is how the exploitation started, as per researchers. 

Since then there have been a large number of attempts of exploitation of that vulnerability. Therefore, site owners were asked to remove the theme customizer plugin from their site. 

We are noticing a lot of hacked WordPress blogs because of a critical zero-day vulnerability in WordPress Yellow Pencil Visual CSS style editor plugin that has over 30,000 active users. The plugin was closed from 8th April by and full disclosure was published the next day. 

? What was the flaw in WordPress Yellow Pencil Plugin?

The vulnerability allows an unauthenticated user to update WordPress options which can lead to redirecting the home page or getting full admin access to the CMS among other actions. Vulnerability lets unauthenticated users update options on WordPress which will lead to the page being redirected to the home page or allowing full access to CMS and similar actions.

That means that any unauthenticated user could perform site admin actions, like changing arbitrary options or more.

On the evening of 10th April, there was an attack on few WordPress plugins which included Yellow Plugin. This was an attack to some WordPress plugins including Yellow Pencil plugin.

Thus no file was infected. Only the “home” and “siteurl” rows of the wp-option table were affected and changed to other URL. We know how important it’s for you and therefore we try our best to handle it. We will help you in handling this. 

Related Read WordPress GDPR Compliance Plugin Exploit Vulnerability

? Privilege Escalation allows Arbitrary Options Updates

First flaw that started this attack is mentioned in the Yello-Pencil.php file given in the plugin. Yp_remote_get_first () function is provided on each page and ensures if the specific request parameter is set.  If these are present, then plugin makes its privileges available to the administrator as a reminder for the request.

Privilege Escalation Enables Arbitrary Options Updates

Privilege escalation performs user abilities checks in public moot after some time. Because of this, users who are not authentic are allowed to perform actions, like changing arbitrary options which were specifically meant for administrators of the site. A (CSRF) cross-site request forgery check was not included in the functions given below due to which exploitation had been difficult.

 Zero-Day Vulnerability in Yellow Pencil Visual Theme Customizer Exploit

What’s Common between recently discovered vulnerabilities?

There are some commonalities between these exploit attempts on recently discovered vulnerabilities in the Social Warfare, Easy WP SMTP and Yuzo Related Posts plugins.

These Exploits use a malicious script hosted on a domain, hellofromhony[.]com , which resolves to 176.123.9[.]53. That IP address was used in the other attacks mentioned.

? Here’s the update:

“Yellow Pencil plug-in has been through hack attack, they have fixed vulnerability and a new update has been released (7.2.0 version). Make sure that you are using the latest version.


We will help you until the infected website is fixed. Please follow our Facebook community for more updates. We are extremely sorry for the inconvenience caused”, reported by Yellow Pencil support team.

Please make sure that you update the plugin as soon as possible to the latest version to make sure your website is secure. 7.2.0 release is the safest version and rests all versions are at risk.

? Updating to The latest version

You will find an update button in the WordPress panel, click on the button and update will start. If you are not able to locate the update option, then you will have to do it manually.

You must update the plugin quickly to the latest version to ensure the security of your website, The 7.2.0 release is the safe version, and all older versions are currently at risk.

Download 7.2.0 Free

? Follow these steps to update the plugin:

  1. You need to deactivate and remove the old version from your WordPress panel while doing it you don’t have to worry about CSS, it will stay safe in your database.
  2. Download the latest  version of Yellow Pencil.
  3. Now in the WordPress dashboard, click the option of plugins and click add new.
  4. Click upload, select file and your download for Yellow Pencil is done.

? How To fix Zero-day vulnerability in Yellow Pencil WordPress plugin?

 How To fix yellow pencil wordpress plugin exploit

This security issue is related to the visitor view tool. Some WordPress sites are affected by this hack attack.

If your website is hacked, you can fix it in following ways:

⚒️ Scan Your Website

Update the plug-in to the latest version, clear cache, and scan your website with our WordPress security Scanner Here! We are specialists and can secure and analyze infected word press sites for you. Once you submit a request, we will start immediately.

WordPress hacked scanner online check

⚒️ Step 1 – Restore & Backup

Firstly restore your WordPress database into a backup to ensure that your data doesn’t get lost. The backup will be the easiest and safest way to be secured against future threats. Contact your host provider and they will help in the restoration of backup.

⚒️ Step 2 – Install New Version

Delete the previous old versions and install the new version:

  1. Through FTP, get access to your website, go to wp-content/plugins and delete the Yellow Pencil file (CSS changes will be safe in your data without any worries).
  2. If you are not able to get access and are using a cache plugin, delete cache folder in wp-content/plugin.
  3. Go to WordPress panel and install the latest version while following these steps on the page.

⚒️ Step 3 – Fixing the database:

  1. Log-in to WordPress database using phpMyAdmin with the help of your hosting control panel.
  2. Navigate through the wordpress_options table.
  3. Edit the first two rows “home” and “siteurl” in your domain, e.g,
  4. Click on database in the phpMyAdmin present on the left side of panel and then search in tables any name of the malicious domain to which your website is being redirected to, either with %baddomain to find any remaining malware is present.

Related – Export WordPress Database ? Via PhpMyadmin + Plugins [GUIDE]

           – Optimize & Repair WordPress Database – Fix Corrupted Tables


  1. Visit WordPress panel, then go to users and then click on your profile and select log out everywhere else.
  2. Check your browser and device, make sure that your device is free from malware and is clean.
  3. Ensure that your cache is clean and make sure everything is fine in your website.

? Need Expert Help – Get It Fixed Fast

If you have no idea how to create it, follow the steps here and ask them to fix the issue. Also, we at WP Hacked Help can fix this issue for $48, Contact us and let us know your issue . Still Confused? Head over to read our post to choose best wordpress security services.

Fix Hacked WordPress Website & Remove Malware - WPHackedHelp - contact-us

We have experts who will get blacklist resolved within the next 36 hours. There won’t be any further issues left and blacklist will be completely cleaned.

We have over 15 years of experience in WordPress and malware cleanup and website security. Our aim is to be the best in WordPress cleanups and that’s what we’ve been trying to do.

Our experts analyse each file to ensure that every issue on your WordPress site is removed.

Related Articles: