So, we have another WordPress plug-in, Yellow Pencil Visual Theme customizer which has been exploited as we discover two software vulnerabilities. The vulnerability is similar to the? Easy WP SMTP plugin vulnerability we talked about last week. Another one was a Zero-Day WordPress Plugin Vulnerability In Social Warfare Plugin.
Attackers who are exploiting these flaws to hack wordpress site are responsible for other plug-in attacks in the past weeks, as per researchers. Yellow Pencil is a visual design plug-in that lets users design their website. It’s being actively installed for over 30,000 websites. Plug-in is found to have two software vulnerabilities which are facing heavy exploit.
Founders of Yellow Pencil Visual Theme Customizer have asked all its users to update it as soon as possible once it was found out that it had software vulnerabilities were being actively exploited. Lets know more about it and how to fix it in detail.
Table of Contents [TOC]
Yellow Pencil WordPress plugin is used to Customize any WordPress site in minutes. Edit fonts, colors, sizes and more. YellowPencil’s robust, intuitive features, make the plugin unique. YellowPencil Visual CSS Editor generating the CSS code as a professional front-end developer.
An update has been shared on its website which asked users of Yellow Pencil to update to latest plug-in version, 7.2.0 as soon as possible. If your website doesn’t get redirected to malware website, then your website isn’t hacked. But it’s still advisable to redirect to malware website to ensure the safety of your website. 7.2.0 Version is secure and all the previous versions are under risk.
As per WordPress, plugin has been removed from the plugin repository on Monday and can’t be used any longer for download. But a researcher took the dangerous and highly irresponsible decision of publishing a blog post regarding the method of exploiting a set of two software vulnerabilities in plug-in along with (POC) proof of concept” this is how the exploitation started, as per researchers.
Since then there have been a large number of attempts of exploitation of that vulnerability. Therefore, site owners were asked to remove the theme customizer plugin from their site.
We are noticing a lot of hacked WordPress blogs because of a critical zero-day vulnerability in WordPress Yellow Pencil Visual CSS style editor plugin that has over 30,000 active users. The plugin was closed from 8th April by WordPress.org and full disclosure was published the next day.
The vulnerability allows an unauthenticated user to update WordPress options which can lead to redirecting the home page or getting full admin access to the CMS among other actions. Vulnerability lets unauthenticated users update options on WordPress which will lead to the page being redirected to the home page or allowing full access to CMS and similar actions.
That means that any unauthenticated user could perform site admin actions, like changing arbitrary options or more.
On the evening of 10th April, there was an attack on few WordPress plugins which included Yellow Plugin. This was an attack to some WordPress plugins including Yellow Pencil plugin.
Thus no file was infected. Only the “home” and “siteurl” rows of the wp-option table were affected and changed to other URL. We know how important it’s for you and therefore we try our best to handle it. We will help you in handling this.
Related Read – WordPress GDPR Compliance Plugin Exploit Vulnerability
First flaw that started this attack is mentioned in the Yello-Pencil.php file given in the plugin. Yp_remote_get_first () function is provided on each page and ensures if the specific request parameter is set. If these are present, then plugin makes its privileges available to the administrator as a reminder for the request.
Privilege escalation performs user abilities checks in public moot after some time. Because of this, users who are not authentic are allowed to perform actions, like changing arbitrary options which were specifically meant for administrators of the site. A (CSRF) cross-site request forgery check was not included in the functions given below due to which exploitation had been difficult.
There are some commonalities between these exploit attempts on recently discovered vulnerabilities in the Social Warfare, Easy WP SMTP and Yuzo Related Posts plugins.
These Exploits use a malicious script hosted on a domain, hellofromhony[.]com
, which resolves to 176.123.9[.]53
. That IP address was used in the other attacks mentioned.
“Yellow Pencil plug-in has been through hack attack, they have fixed vulnerability and a new update has been released (7.2.0 version). Make sure that you are using the latest version.
We will help you until the infected website is fixed. Please follow our Facebook community for more updates. We are extremely sorry for the inconvenience caused”, reported by Yellow Pencil support team.
Please make sure that you update the plugin as soon as possible to the latest version to make sure your website is secure. 7.2.0 release is the safest version and rests all versions are at risk.
You will find an update button in the WordPress panel, click on the button and update will start. If you are not able to locate the update option, then you will have to do it manually.
You must update the plugin quickly to the latest version to ensure the security of your website, The 7.2.0 release is the safe version, and all older versions are currently at risk.
This security issue is related to the visitor view tool. Some WordPress sites are affected by this hack attack.
If your website is hacked, you can fix it in following ways:
Update the plug-in to the latest version, clear cache, and scan your website with our WordPress security Scanner Here! We are specialists and can secure and analyze infected word press sites for you. Once you submit a request, we will start immediately.
Firstly restore your WordPress database into a backup to ensure that your data doesn’t get lost. The backup will be the easiest and safest way to be secured against future threats. Contact your host provider and they will help in the restoration of backup.
Delete the previous old versions and install the new version:
? Related – Export WordPress Database ? Via PhpMyadmin + Plugins [GUIDE]
– Optimize & Repair WordPress Database – Fix Corrupted Tables
If you have no idea how to create it, follow the steps here and ask them to fix the issue. Also, we at WP Hacked Help can fix this issue for $48, Contact us and let us know your issue . Still Confused? Head over to read our post to choose best wordpress security services.
We have experts who will get blacklist resolved within the next 36 hours. There won’t be any further issues left and blacklist will be completely cleaned.
We have over 15 years of experience in WordPress and malware cleanup and website security. Our aim is to be the best in WordPress cleanups and that’s what we’ve been trying to do.
Our experts analyse each file to ensure that every issue on your WordPress site is removed.
? Related Articles: