The wave of attacks on WordPress plugins continues to gain momentum. Let me remind you that last week unknown attackers attacked a vulnerability in the Yuzo Related Posts plugin. As a result, criminals were able to redirect visitors to affected sites to various scam resources, from fake technical support to pages with ads or fake software updates hiding malware. Experts from Defiant and Sucuri have warned that the exploitation of the vulnerability in Yuzo Related Posts is the same criminal group that last month used to attack 0-day bugs in other plugins, Easy WP SMTP and Social Warfare.
Now a similar fate befell the plugin Yellow Pencil Visual Theme Customizer installed over 30,000 times. Currently, it is still removed from the official WordPress repository, although the developers have already released a patch that closes the exploit exploited by the criminals. Wordfence specialists explain that the plugin was attacked after an irresponsible and dangerous act by an unnamed information security researcher: he published a description of two vulnerabilities in Yellow Pencil on his blog Visual Theme Customizer and attached a PoC exploit to my report.
Journalists of the publication ArsTechnica explain that in all the cases described above, the exploitation of vulnerabilities began after the publication of exploits and descriptions of problems on the site
Plugin Vulnerabilities, which is positioned as a service provider for finding bugs in WordPress plugins , but no specifics about this company is known. In each case, the published technical details and code were enough for attackers to quickly take advantage of the vulnerabilities and launch attacks. At the same time, no active attacks on the problems were recorded before the exploits were published.
Interestingly, all three exploits were released by the same unnamed researcher, and the posts on Plugin Vulnerabilities emphasized that he was doing this as a sign of protest, as he was not satisfied with the moderation policy on the official WordPress support forums. ArsTechnica representatives managed to contact this anonymous researcher and find out his version of events. The specialist explained that he prefers to first disclose information about bugs, and only after that he tries to notify plugin developers about them. He tried to get in touch with the developers through the mentioned official WordPress support forums, but it turned out that “local moderators delete such posts too often without warning anyone about it.”
It is emphasized that in the cases of Yuzo Related Posts and Yellow Pencil, the researcher paid attention to the plugins and studied them after the unexpected removal from the official repository . Now he admits that the current exploitation of bugs and attacks on plugins can be due to both his posts with PoC exploits, and be the result of some parallel processes. At the same time, the anonymous author emphasized that 11 days had passed between the publication of the exploit for Yuzo Related Posts and the first attacks, which means that the developers have enough time to fix the problem. Moreover, the researcher once again emphasized that if the moderators of the official WordPress forums did their job, there would be no problems, and users would not be endangered. ArsTechnica journalists tried to understand where the roots of this hostility with the moderators go and who owns Plugin Vulnerabilities.
Representatives of the publication noticed that in the “basement” of the Plugin Vulnerabilities website you can find the copyright of the company White Fir Designs, LLC, while the whois of pluginvulnerabilities.com and whitefirdesign.com showed that they were owned by White Fir Designs of Greenwood Village in Colorado. After consulting Colorado's public business database, the reporters discovered that White Fir Designs was founded in 2006 by a man named John Michael Grillot (John Michael Grillot).
this post on Reddit, feud researcher with moderators began a long time ago, since he openly published information on forums about bugs that had not yet been closed, and the moderators first deleted the posts themselves, and then completely blocked the specialist’s account. So, according to this message in
Medium, the researcher was given a life ban, however he continued his activities, already using fake accounts. In addition, in the archives of Plugin Vulnerabilities you can find a entry dated back 2016, which also raises the issue of a conflict between a self-proclaimed security provider and support for the official WordPress forums.